From d164bb1772e6c4b1761bea86dc4b8f0940764995 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Sat, 5 Apr 2003 23:39:01 +0000
Subject: Update for other contributors to. (This used to be commit
d12a1bb8260673a5c280960b21957e68b241e540)
---
docs/htmldocs/Samba-HOWTO-Collection.html | 10800 +++++++++++++++++-----------
1 file changed, 6643 insertions(+), 4157 deletions(-)
(limited to 'docs/htmldocs')
diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html
index 73bc3eb60a..9b79518cec 100644
--- a/docs/htmldocs/Samba-HOWTO-Collection.html
+++ b/docs/htmldocs/Samba-HOWTO-Collection.html
@@ -32,20 +32,41 @@ CLASS="AUTHOR"
NAME="AEN4"
></A
>SAMBA Team</H3
-><HR></DIV
-><HR><H1
+><DIV
+CLASS="AFFILIATION"
+><DIV
+CLASS="ADDRESS"
+><P
+CLASS="ADDRESS"
+><CODE
+CLASS="EMAIL"
+><<A
+HREF="mailto:samba@samba.org"
+>samba@samba.org</A
+>></CODE
+></P
+></DIV
+></DIV
+><H4
+CLASS="EDITEDBY"
+>Edited by</H4
+><H3
+CLASS="EDITOR"
+>John H Terpstra</H3
+><H3
+CLASS="EDITOR"
+>Jelmer Vernooij</H3
+><H3
+CLASS="EDITOR"
+>Gerald (Jerry) Carter</H3
+><DIV
+><DIV
+CLASS="ABSTRACT"
+><P
+></P
><A
-NAME="AEN8"
+NAME="AEN32"
></A
->Abstract</H1
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->Last Update</I
-></SPAN
-> : Wed Jan 15</P
><P
>This book is a collection of HOWTOs added to Samba documentation over the years.
I try to ensure that all are current, but sometimes the is a larger job
@@ -66,6 +87,17 @@ TARGET="_top"
>jelmer@samba.org</A
>.</P
><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="LEGALNOTICE"
+><P
+></P
+><A
+NAME="AEN37"
+></A
+><P
>This documentation is distributed under the GNU General Public License (GPL)
version 2. A copy of the license is included with the Samba source
distribution. A copy can be found on-line at <A
@@ -74,7 +106,9 @@ TARGET="_top"
>http://www.fsf.org/licenses/gpl.txt</A
></P
><P
->Cheers, jerry</P
+></P
+></DIV
+><HR></DIV
><DIV
CLASS="TOC"
><DL
@@ -98,34 +132,34 @@ HREF="#INSTALL"
><DL
><DT
>1.1. <A
-HREF="#AEN26"
+HREF="#AEN65"
>Obtaining and installing samba</A
></DT
><DT
>1.2. <A
-HREF="#AEN31"
+HREF="#AEN70"
>Configuring samba</A
></DT
><DT
>1.3. <A
-HREF="#AEN64"
+HREF="#AEN103"
>Try listing the shares available on your
server</A
></DT
><DT
>1.4. <A
-HREF="#AEN73"
+HREF="#AEN112"
>Try connecting with the unix client</A
></DT
><DT
>1.5. <A
-HREF="#AEN89"
+HREF="#AEN128"
>Try connecting from a DOS, WfWg, Win9x, WinNT,
Win2k, OS/2, etc... client</A
></DT
><DT
>1.6. <A
-HREF="#AEN103"
+HREF="#AEN142"
>What If Things Don't Work?</A
></DT
></DL
@@ -139,38 +173,44 @@ HREF="#BROWSING-QUICK"
><DL
><DT
>2.1. <A
-HREF="#AEN130"
+HREF="#AEN174"
>Discussion</A
></DT
><DT
>2.2. <A
-HREF="#AEN139"
+HREF="#AEN193"
>How browsing functions and how to deploy stable and
dependable browsing using Samba</A
></DT
><DT
>2.3. <A
-HREF="#AEN149"
->Use of the "Remote Announce" parameter</A
+HREF="#AEN207"
+>Use of the <B
+CLASS="COMMAND"
+>Remote Announce</B
+> parameter</A
></DT
><DT
>2.4. <A
-HREF="#AEN163"
->Use of the "Remote Browse Sync" parameter</A
+HREF="#AEN230"
+>Use of the <B
+CLASS="COMMAND"
+>Remote Browse Sync</B
+> parameter</A
></DT
><DT
>2.5. <A
-HREF="#AEN168"
+HREF="#AEN241"
>Use of WINS</A
></DT
><DT
>2.6. <A
-HREF="#AEN179"
+HREF="#AEN255"
>Do NOT use more than one (1) protocol on MS Windows machines</A
></DT
><DT
>2.7. <A
-HREF="#AEN187"
+HREF="#AEN263"
>Name Resolution Order</A
></DT
></DL
@@ -184,42 +224,42 @@ HREF="#PASSDB"
><DL
><DT
>3.1. <A
-HREF="#AEN244"
+HREF="#AEN321"
>Introduction</A
></DT
><DT
>3.2. <A
-HREF="#AEN251"
+HREF="#AEN328"
>Important Notes About Security</A
></DT
><DT
>3.3. <A
-HREF="#AEN289"
+HREF="#AEN366"
>The smbpasswd Command</A
></DT
><DT
>3.4. <A
-HREF="#AEN320"
+HREF="#AEN397"
>Plain text</A
></DT
><DT
>3.5. <A
-HREF="#AEN325"
+HREF="#AEN402"
>TDB</A
></DT
><DT
>3.6. <A
-HREF="#AEN328"
+HREF="#AEN405"
>LDAP</A
></DT
><DT
>3.7. <A
-HREF="#AEN546"
+HREF="#AEN623"
>MySQL</A
></DT
><DT
>3.8. <A
-HREF="#AEN588"
+HREF="#AEN665"
>XML</A
></DT
></DL
@@ -242,17 +282,17 @@ HREF="#SERVERTYPE"
><DL
><DT
>4.1. <A
-HREF="#AEN626"
+HREF="#AEN703"
>Stand Alone Server</A
></DT
><DT
>4.2. <A
-HREF="#AEN633"
+HREF="#AEN710"
>Domain Member Server</A
></DT
><DT
>4.3. <A
-HREF="#AEN639"
+HREF="#AEN716"
>Domain Controller</A
></DT
></DL
@@ -266,7 +306,7 @@ HREF="#SECURITYLEVELS"
><DL
><DT
>5.1. <A
-HREF="#AEN668"
+HREF="#AEN752"
>User and Share security level</A
></DT
></DL
@@ -280,37 +320,37 @@ HREF="#SAMBA-PDC"
><DL
><DT
>6.1. <A
-HREF="#AEN772"
+HREF="#AEN859"
>Prerequisite Reading</A
></DT
><DT
>6.2. <A
-HREF="#AEN777"
+HREF="#AEN864"
>Background</A
></DT
><DT
>6.3. <A
-HREF="#AEN817"
+HREF="#AEN904"
>Configuring the Samba Domain Controller</A
></DT
><DT
>6.4. <A
-HREF="#AEN859"
+HREF="#AEN946"
>Creating Machine Trust Accounts and Joining Clients to the Domain</A
></DT
><DT
>6.5. <A
-HREF="#AEN967"
+HREF="#AEN1054"
>Common Problems and Errors</A
></DT
><DT
>6.6. <A
-HREF="#AEN1013"
+HREF="#AEN1100"
>What other help can I get?</A
></DT
><DT
>6.7. <A
-HREF="#AEN1127"
+HREF="#AEN1214"
>Domain Control for Windows 9x/ME</A
></DT
></DL
@@ -324,27 +364,27 @@ HREF="#SAMBA-BDC"
><DL
><DT
>7.1. <A
-HREF="#AEN1180"
+HREF="#AEN1267"
>Prerequisite Reading</A
></DT
><DT
>7.2. <A
-HREF="#AEN1184"
+HREF="#AEN1271"
>Background</A
></DT
><DT
>7.3. <A
-HREF="#AEN1192"
+HREF="#AEN1279"
>What qualifies a Domain Controller on the network?</A
></DT
><DT
>7.4. <A
-HREF="#AEN1201"
+HREF="#AEN1288"
>Can Samba be a Backup Domain Controller to an NT PDC?</A
></DT
><DT
>7.5. <A
-HREF="#AEN1206"
+HREF="#AEN1293"
>How do I set up a Samba BDC?</A
></DT
></DL
@@ -358,7 +398,7 @@ HREF="#ADS"
><DL
><DT
>8.1. <A
-HREF="#AEN1238"
+HREF="#AEN1336"
>Setup your <TT
CLASS="FILENAME"
>smb.conf</TT
@@ -366,7 +406,7 @@ CLASS="FILENAME"
></DT
><DT
>8.2. <A
-HREF="#AEN1249"
+HREF="#AEN1349"
>Setup your <TT
CLASS="FILENAME"
>/etc/krb5.conf</TT
@@ -374,22 +414,22 @@ CLASS="FILENAME"
></DT
><DT
>8.3. <A
-HREF="#AEN1260"
+HREF="#ADS-CREATE-MACHINE-ACCOUNT"
>Create the computer account</A
></DT
><DT
>8.4. <A
-HREF="#AEN1272"
+HREF="#ADS-TEST-SERVER"
>Test your server setup</A
></DT
><DT
>8.5. <A
-HREF="#AEN1277"
+HREF="#ADS-TEST-SMBCLIENT"
>Testing with smbclient</A
></DT
><DT
>8.6. <A
-HREF="#AEN1280"
+HREF="#AEN1390"
>Notes</A
></DT
></DL
@@ -403,12 +443,12 @@ HREF="#DOMAIN-SECURITY"
><DL
><DT
>9.1. <A
-HREF="#AEN1302"
+HREF="#AEN1413"
>Joining an NT Domain with Samba 3.0</A
></DT
><DT
>9.2. <A
-HREF="#AEN1356"
+HREF="#AEN1467"
>Why is this better than security = server?</A
></DT
></DL
@@ -424,358 +464,416 @@ HREF="#OPTIONAL"
><DL
><DT
>10. <A
-HREF="#ADVANCEDNETWORKMANAGEMENT"
->Advanced Network Manangement Information</A
-></DT
-><DD
-><DL
-><DT
->10.1. <A
-HREF="#AEN1388"
->Remote Server Administration</A
-></DT
-></DL
-></DD
-><DT
->11. <A
HREF="#UNIX-PERMISSIONS"
>UNIX Permission Bits and Windows NT Access Control Lists</A
></DT
><DD
><DL
><DT
->11.1. <A
-HREF="#AEN1416"
+>10.1. <A
+HREF="#AEN1499"
>Viewing and changing UNIX permissions using the NT
security dialogs</A
></DT
><DT
->11.2. <A
-HREF="#AEN1420"
+>10.2. <A
+HREF="#AEN1505"
>How to view file security on a Samba share</A
></DT
><DT
->11.3. <A
-HREF="#AEN1431"
+>10.3. <A
+HREF="#AEN1516"
>Viewing file ownership</A
></DT
><DT
->11.4. <A
-HREF="#AEN1451"
+>10.4. <A
+HREF="#AEN1536"
>Viewing file or directory permissions</A
></DT
><DT
->11.5. <A
-HREF="#AEN1487"
+>10.5. <A
+HREF="#AEN1572"
>Modifying file or directory permissions</A
></DT
><DT
->11.6. <A
-HREF="#AEN1509"
+>10.6. <A
+HREF="#AEN1594"
>Interaction with the standard Samba create mask
parameters</A
></DT
><DT
->11.7. <A
-HREF="#AEN1563"
+>10.7. <A
+HREF="#AEN1648"
>Interaction with the standard Samba file attribute
mapping</A
></DT
></DL
></DD
><DT
->12. <A
+>11. <A
HREF="#GROUPMAPPING"
->Group mapping HOWTO</A
-></DT
-><DT
->13. <A
-HREF="#PAM"
->Configuring PAM for distributed but centrally
-managed authentication</A
+>Configuring Group Mapping</A
></DT
-><DD
-><DL
-><DT
->13.1. <A
-HREF="#AEN1619"
->Samba and PAM</A
-></DT
-><DT
->13.2. <A
-HREF="#AEN1668"
->Distributed Authentication</A
-></DT
-><DT
->13.3. <A
-HREF="#AEN1673"
->PAM Configuration in smb.conf</A
-></DT
-></DL
-></DD
><DT
->14. <A
+>12. <A
HREF="#PRINTING"
>Printing Support</A
></DT
><DD
><DL
><DT
->14.1. <A
-HREF="#AEN1699"
+>12.1. <A
+HREF="#AEN1711"
>Introduction</A
></DT
><DT
->14.2. <A
-HREF="#AEN1721"
+>12.2. <A
+HREF="#AEN1733"
>Configuration</A
></DT
><DT
->14.3. <A
-HREF="#AEN1829"
+>12.3. <A
+HREF="#AEN1845"
>The Imprints Toolset</A
></DT
><DT
->14.4. <A
-HREF="#AEN1872"
+>12.4. <A
+HREF="#AEN1888"
>Diagnosis</A
></DT
></DL
></DD
><DT
->15. <A
+>13. <A
HREF="#CUPS-PRINTING"
>CUPS Printing Support</A
></DT
><DD
><DL
><DT
->15.1. <A
-HREF="#AEN1984"
+>13.1. <A
+HREF="#AEN2000"
>Introduction</A
></DT
><DT
->15.2. <A
-HREF="#AEN1989"
->CUPS - RAW Print Through Mode</A
+>13.2. <A
+HREF="#AEN2007"
+>Configuring <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> for CUPS</A
></DT
><DT
->15.3. <A
-HREF="#AEN2044"
->The CUPS Filter Chains</A
+>13.3. <A
+HREF="#AEN2026"
+>CUPS - RAW Print Through Mode</A
></DT
><DT
->15.4. <A
+>13.4. <A
HREF="#AEN2083"
+>CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe
+PostScript driver with CUPS-PPDs downloaded to clients</A
+></DT
+><DT
+>13.5. <A
+HREF="#AEN2104"
+>Windows Terminal Servers (WTS) as CUPS clients</A
+></DT
+><DT
+>13.6. <A
+HREF="#AEN2108"
+>Setting up CUPS for driver download</A
+></DT
+><DT
+>13.7. <A
+HREF="#AEN2120"
+>Sources of CUPS drivers / PPDs</A
+></DT
+><DT
+>13.8. <A
+HREF="#AEN2176"
+>The CUPS Filter Chains</A
+></DT
+><DT
+>13.9. <A
+HREF="#AEN2215"
>CUPS Print Drivers and Devices</A
></DT
><DT
->15.5. <A
-HREF="#AEN2160"
+>13.10. <A
+HREF="#AEN2292"
>Limiting the number of pages users can print</A
></DT
><DT
->15.6. <A
-HREF="#AEN2249"
+>13.11. <A
+HREF="#AEN2388"
>Advanced Postscript Printing from MS Windows</A
></DT
><DT
->15.7. <A
-HREF="#AEN2264"
+>13.12. <A
+HREF="#AEN2403"
>Auto-Deletion of CUPS spool files</A
></DT
></DL
></DD
><DT
->16. <A
+>14. <A
HREF="#WINBIND"
>Unified Logons between Windows NT and UNIX using Winbind</A
></DT
><DD
><DL
><DT
->16.1. <A
-HREF="#AEN2326"
+>14.1. <A
+HREF="#AEN2469"
>Abstract</A
></DT
><DT
->16.2. <A
-HREF="#AEN2330"
+>14.2. <A
+HREF="#AEN2473"
>Introduction</A
></DT
><DT
->16.3. <A
-HREF="#AEN2343"
+>14.3. <A
+HREF="#AEN2486"
>What Winbind Provides</A
></DT
><DT
->16.4. <A
-HREF="#AEN2354"
+>14.4. <A
+HREF="#AEN2497"
>How Winbind Works</A
></DT
><DT
->16.5. <A
-HREF="#AEN2397"
+>14.5. <A
+HREF="#AEN2540"
>Installation and Configuration</A
></DT
><DT
->16.6. <A
-HREF="#AEN2654"
+>14.6. <A
+HREF="#AEN2797"
>Limitations</A
></DT
><DT
->16.7. <A
-HREF="#AEN2664"
+>14.7. <A
+HREF="#AEN2807"
>Conclusion</A
></DT
></DL
></DD
><DT
->17. <A
-HREF="#POLICYMGMT"
->Policy Management - Hows and Whys</A
+>15. <A
+HREF="#ADVANCEDNETWORKMANAGEMENT"
+>Advanced Network Manangement</A
></DT
><DD
><DL
><DT
->17.1. <A
-HREF="#AEN2678"
->System Policies</A
+>15.1. <A
+HREF="#AEN2822"
+>Configuring Samba Share Access Controls</A
></DT
-></DL
-></DD
><DT
->18. <A
-HREF="#PROFILEMGMT"
->Profile Management</A
+>15.2. <A
+HREF="#AEN2860"
+>Remote Server Administration</A
></DT
-><DD
-><DL
><DT
->18.1. <A
-HREF="#AEN2761"
->Roaming Profiles</A
+>15.3. <A
+HREF="#AEN2877"
+>Network Logon Script Magic</A
></DT
></DL
></DD
><DT
->19. <A
-HREF="#INTEGRATE-MS-NETWORKS"
->Integrating MS Windows networks with Samba</A
+>16. <A
+HREF="#POLICYMGMT"
+>System and Account Policies</A
></DT
><DD
><DL
><DT
->19.1. <A
-HREF="#AEN2975"
->Name Resolution in a pure Unix/Linux world</A
+>16.1. <A
+HREF="#AEN2892"
+>Creating and Managing System Policies</A
></DT
><DT
->19.2. <A
-HREF="#AEN3038"
->Name resolution as used within MS Windows networking</A
+>16.2. <A
+HREF="#AEN2965"
+>Managing Account/User Policies</A
></DT
></DL
></DD
><DT
->20. <A
-HREF="#IMPROVED-BROWSING"
->Improved browsing in samba</A
+>17. <A
+HREF="#PROFILEMGMT"
+>Desktop Profile Management</A
></DT
><DD
><DL
><DT
->20.1. <A
-HREF="#AEN3090"
->Overview of browsing</A
+>17.1. <A
+HREF="#AEN2998"
+>Roaming Profiles</A
></DT
><DT
->20.2. <A
-HREF="#AEN3095"
->Browsing support in samba</A
+>17.2. <A
+HREF="#AEN3196"
+>Mandatory profiles</A
></DT
><DT
->20.3. <A
-HREF="#AEN3103"
->Problem resolution</A
+>17.3. <A
+HREF="#AEN3203"
+>Creating/Managing Group Profiles</A
></DT
><DT
->20.4. <A
-HREF="#AEN3112"
->Browsing across subnets</A
+>17.4. <A
+HREF="#AEN3209"
+>Default Profile for Windows Users</A
></DT
+></DL
+></DD
><DT
->20.5. <A
-HREF="#AEN3152"
->Setting up a WINS server</A
+>18. <A
+HREF="#PAM"
+>PAM Configuration for Centrally Managed Authentication</A
></DT
+><DD
+><DL
><DT
->20.6. <A
-HREF="#AEN3171"
->Setting up Browsing in a WORKGROUP</A
+>18.1. <A
+HREF="#AEN3332"
+>Samba and PAM</A
></DT
><DT
->20.7. <A
-HREF="#AEN3189"
->Setting up Browsing in a DOMAIN</A
+>18.2. <A
+HREF="#AEN3383"
+>Distributed Authentication</A
></DT
><DT
->20.8. <A
-HREF="#AEN3199"
->Forcing samba to be the master</A
+>18.3. <A
+HREF="#AEN3388"
+>PAM Configuration in smb.conf</A
></DT
+></DL
+></DD
><DT
->20.9. <A
-HREF="#AEN3208"
->Making samba the domain master</A
+>19. <A
+HREF="#VFS"
+>Stackable VFS modules</A
></DT
+><DD
+><DL
><DT
->20.10. <A
-HREF="#AEN3226"
->Note about broadcast addresses</A
+>19.1. <A
+HREF="#AEN3423"
+>Introduction and configuration</A
></DT
><DT
->20.11. <A
-HREF="#AEN3229"
->Multiple interfaces</A
+>19.2. <A
+HREF="#AEN3432"
+>Included modules</A
+></DT
+><DT
+>19.3. <A
+HREF="#AEN3490"
+>VFS modules available elsewhere</A
></DT
></DL
></DD
><DT
->21. <A
+>20. <A
HREF="#MSDFS"
>Hosting a Microsoft Distributed File System tree on Samba</A
></DT
><DD
><DL
><DT
->21.1. <A
-HREF="#AEN3243"
+>20.1. <A
+HREF="#AEN3518"
>Instructions</A
></DT
></DL
></DD
><DT
+>21. <A
+HREF="#INTEGRATE-MS-NETWORKS"
+>Integrating MS Windows networks with Samba</A
+></DT
+><DD
+><DL
+><DT
+>21.1. <A
+HREF="#AEN3580"
+>Name Resolution in a pure Unix/Linux world</A
+></DT
+><DT
+>21.2. <A
+HREF="#AEN3643"
+>Name resolution as used within MS Windows networking</A
+></DT
+></DL
+></DD
+><DT
>22. <A
-HREF="#VFS"
->Stackable VFS modules</A
+HREF="#IMPROVED-BROWSING"
+>Improved browsing in samba</A
></DT
><DD
><DL
><DT
>22.1. <A
-HREF="#AEN3302"
->Introduction and configuration</A
+HREF="#AEN3695"
+>Overview of browsing</A
></DT
><DT
>22.2. <A
-HREF="#AEN3311"
->Included modules</A
+HREF="#AEN3701"
+>Browsing support in samba</A
></DT
><DT
>22.3. <A
-HREF="#AEN3365"
->VFS modules available elsewhere</A
+HREF="#AEN3714"
+>Problem resolution</A
+></DT
+><DT
+>22.4. <A
+HREF="#AEN3725"
+>Browsing across subnets</A
+></DT
+><DT
+>22.5. <A
+HREF="#AEN3765"
+>Setting up a WINS server</A
+></DT
+><DT
+>22.6. <A
+HREF="#AEN3785"
+>Setting up Browsing in a WORKGROUP</A
+></DT
+><DT
+>22.7. <A
+HREF="#AEN3808"
+>Setting up Browsing in a DOMAIN</A
+></DT
+><DT
+>22.8. <A
+HREF="#BROWSE-FORCE-MASTER"
+>Forcing samba to be the master</A
+></DT
+><DT
+>22.9. <A
+HREF="#AEN3843"
+>Making samba the domain master</A
+></DT
+><DT
+>22.10. <A
+HREF="#AEN3865"
+>Note about broadcast addresses</A
+></DT
+><DT
+>22.11. <A
+HREF="#AEN3868"
+>Multiple interfaces</A
></DT
></DL
></DD
@@ -788,32 +886,32 @@ HREF="#SECURING-SAMBA"
><DL
><DT
>23.1. <A
-HREF="#AEN3391"
+HREF="#AEN3884"
>Introduction</A
></DT
><DT
>23.2. <A
-HREF="#AEN3394"
+HREF="#AEN3887"
>Using host based protection</A
></DT
><DT
>23.3. <A
-HREF="#AEN3401"
+HREF="#AEN3894"
>Using interface protection</A
></DT
><DT
>23.4. <A
-HREF="#AEN3410"
+HREF="#AEN3903"
>Using a firewall</A
></DT
><DT
>23.5. <A
-HREF="#AEN3417"
+HREF="#AEN3910"
>Using a IPC$ share deny</A
></DT
><DT
>23.6. <A
-HREF="#AEN3426"
+HREF="#AEN3919"
>Upgrading Samba</A
></DT
></DL
@@ -827,12 +925,12 @@ HREF="#UNICODE"
><DL
><DT
>24.1. <A
-HREF="#AEN3440"
+HREF="#AEN3933"
>What are charsets and unicode?</A
></DT
><DT
>24.2. <A
-HREF="#AEN3449"
+HREF="#AEN3942"
>Samba and charsets</A
></DT
></DL
@@ -848,224 +946,262 @@ HREF="#APPENDIXES"
><DL
><DT
>25. <A
-HREF="#SPEED"
->Samba performance issues</A
+HREF="#SWAT"
+>SWAT - The Samba Web Admininistration Tool</A
></DT
><DD
><DL
><DT
>25.1. <A
-HREF="#AEN3486"
->Comparisons</A
+HREF="#AEN3976"
+>SWAT Features and Benefits</A
></DT
+></DL
+></DD
><DT
->25.2. <A
-HREF="#AEN3492"
->Socket options</A
+>26. <A
+HREF="#NT4MIGRATION"
+>Migration from NT4 PDC to Samba-3 PDC</A
></DT
+><DD
+><DL
><DT
->25.3. <A
-HREF="#AEN3499"
->Read size</A
+>26.1. <A
+HREF="#AEN4012"
+>Planning and Getting Started</A
></DT
><DT
->25.4. <A
-HREF="#AEN3504"
->Max xmit</A
+>26.2. <A
+HREF="#AEN4021"
+>Managing Samba-3 Domain Control</A
+></DT
+></DL
+></DD
+><DT
+>27. <A
+HREF="#SPEED"
+>Samba performance issues</A
+></DT
+><DD
+><DL
+><DT
+>27.1. <A
+HREF="#AEN4041"
+>Comparisons</A
+></DT
+><DT
+>27.2. <A
+HREF="#AEN4047"
+>Socket options</A
+></DT
+><DT
+>27.3. <A
+HREF="#AEN4054"
+>Read size</A
+></DT
+><DT
+>27.4. <A
+HREF="#AEN4059"
+>Max xmit</A
></DT
><DT
->25.5. <A
-HREF="#AEN3509"
+>27.5. <A
+HREF="#AEN4064"
>Log level</A
></DT
><DT
->25.6. <A
-HREF="#AEN3512"
+>27.6. <A
+HREF="#AEN4067"
>Read raw</A
></DT
><DT
->25.7. <A
-HREF="#AEN3517"
+>27.7. <A
+HREF="#AEN4072"
>Write raw</A
></DT
><DT
->25.8. <A
-HREF="#AEN3521"
+>27.8. <A
+HREF="#AEN4076"
>Slow Clients</A
></DT
><DT
->25.9. <A
-HREF="#AEN3525"
+>27.9. <A
+HREF="#AEN4080"
>Slow Logins</A
></DT
><DT
->25.10. <A
-HREF="#AEN3528"
+>27.10. <A
+HREF="#AEN4083"
>Client tuning</A
></DT
></DL
></DD
><DT
->26. <A
+>28. <A
HREF="#PORTABILITY"
>Portability</A
></DT
><DD
><DL
><DT
->26.1. <A
-HREF="#AEN3568"
+>28.1. <A
+HREF="#AEN4127"
>HPUX</A
></DT
><DT
->26.2. <A
-HREF="#AEN3574"
+>28.2. <A
+HREF="#AEN4133"
>SCO Unix</A
></DT
><DT
->26.3. <A
-HREF="#AEN3578"
+>28.3. <A
+HREF="#AEN4137"
>DNIX</A
></DT
><DT
->26.4. <A
-HREF="#AEN3607"
+>28.4. <A
+HREF="#AEN4166"
>RedHat Linux Rembrandt-II</A
></DT
><DT
->26.5. <A
-HREF="#AEN3613"
+>28.5. <A
+HREF="#AEN4172"
>AIX</A
></DT
></DL
></DD
><DT
->27. <A
+>29. <A
HREF="#OTHER-CLIENTS"
>Samba and other CIFS clients</A
></DT
><DD
><DL
><DT
->27.1. <A
-HREF="#AEN3633"
+>29.1. <A
+HREF="#AEN4196"
>Macintosh clients?</A
></DT
><DT
->27.2. <A
-HREF="#AEN3642"
+>29.2. <A
+HREF="#AEN4205"
>OS2 Client</A
></DT
><DT
->27.3. <A
-HREF="#AEN3682"
+>29.3. <A
+HREF="#AEN4245"
>Windows for Workgroups</A
></DT
><DT
->27.4. <A
-HREF="#AEN3706"
+>29.4. <A
+HREF="#AEN4269"
>Windows '95/'98</A
></DT
><DT
->27.5. <A
-HREF="#AEN3722"
+>29.5. <A
+HREF="#AEN4285"
>Windows 2000 Service Pack 2</A
></DT
+><DT
+>29.6. <A
+HREF="#AEN4302"
+>Windows NT 3.1</A
+></DT
></DL
></DD
><DT
->28. <A
+>30. <A
HREF="#COMPILING"
>How to compile SAMBA</A
></DT
><DD
><DL
><DT
->28.1. <A
-HREF="#AEN3749"
+>30.1. <A
+HREF="#AEN4323"
>Access Samba source code via CVS</A
></DT
><DT
->28.2. <A
-HREF="#AEN3792"
+>30.2. <A
+HREF="#AEN4366"
>Accessing the samba sources via rsync and ftp</A
></DT
><DT
->28.3. <A
-HREF="#AEN3798"
+>30.3. <A
+HREF="#AEN4372"
>Building the Binaries</A
></DT
><DT
->28.4. <A
-HREF="#AEN3855"
+>30.4. <A
+HREF="#AEN4429"
>Starting the smbd and nmbd</A
></DT
></DL
></DD
><DT
->29. <A
+>31. <A
HREF="#BUGREPORT"
>Reporting Bugs</A
></DT
><DD
><DL
><DT
->29.1. <A
-HREF="#AEN3917"
+>31.1. <A
+HREF="#AEN4500"
>Introduction</A
></DT
><DT
->29.2. <A
-HREF="#AEN3927"
+>31.2. <A
+HREF="#AEN4510"
>General info</A
></DT
><DT
->29.3. <A
-HREF="#AEN3933"
+>31.3. <A
+HREF="#AEN4516"
>Debug levels</A
></DT
><DT
->29.4. <A
-HREF="#AEN3950"
+>31.4. <A
+HREF="#AEN4536"
>Internal errors</A
></DT
><DT
->29.5. <A
-HREF="#AEN3960"
+>31.5. <A
+HREF="#AEN4550"
>Attaching to a running process</A
></DT
><DT
->29.6. <A
-HREF="#AEN3963"
+>31.6. <A
+HREF="#AEN4558"
>Patches</A
></DT
></DL
></DD
><DT
->30. <A
+>32. <A
HREF="#DIAGNOSIS"
>The samba checklist</A
></DT
><DD
><DL
><DT
->30.1. <A
-HREF="#AEN3986"
+>32.1. <A
+HREF="#AEN4581"
>Introduction</A
></DT
><DT
->30.2. <A
-HREF="#AEN3991"
+>32.2. <A
+HREF="#AEN4586"
>Assumptions</A
></DT
><DT
->30.3. <A
-HREF="#AEN4001"
->Tests</A
+>32.3. <A
+HREF="#AEN4596"
+>The tests</A
></DT
><DT
->30.4. <A
-HREF="#AEN4111"
+>32.4. <A
+HREF="#AEN4697"
>Still having troubles?</A
></DT
></DL
@@ -1087,7 +1223,7 @@ CLASS="TITLE"
><DIV
CLASS="PARTINTRO"
><A
-NAME="AEN21"
+NAME="AEN42"
></A
><H1
>Introduction</H1
@@ -1112,60 +1248,60 @@ HREF="#INSTALL"
><DL
><DT
>1.1. <A
-HREF="#AEN26"
+HREF="#AEN65"
>Obtaining and installing samba</A
></DT
><DT
>1.2. <A
-HREF="#AEN31"
+HREF="#AEN70"
>Configuring samba</A
></DT
><DD
><DL
><DT
>1.2.1. <A
-HREF="#AEN36"
+HREF="#AEN75"
>Editing the smb.conf file</A
></DT
><DT
>1.2.2. <A
-HREF="#AEN58"
+HREF="#AEN97"
>SWAT</A
></DT
></DL
></DD
><DT
>1.3. <A
-HREF="#AEN64"
+HREF="#AEN103"
>Try listing the shares available on your
server</A
></DT
><DT
>1.4. <A
-HREF="#AEN73"
+HREF="#AEN112"
>Try connecting with the unix client</A
></DT
><DT
>1.5. <A
-HREF="#AEN89"
+HREF="#AEN128"
>Try connecting from a DOS, WfWg, Win9x, WinNT,
Win2k, OS/2, etc... client</A
></DT
><DT
>1.6. <A
-HREF="#AEN103"
+HREF="#AEN142"
>What If Things Don't Work?</A
></DT
><DD
><DL
><DT
>1.6.1. <A
-HREF="#AEN108"
+HREF="#AEN147"
>Scope IDs</A
></DT
><DT
>1.6.2. <A
-HREF="#AEN111"
+HREF="#AEN150"
>Locking</A
></DT
></DL
@@ -1181,38 +1317,44 @@ HREF="#BROWSING-QUICK"
><DL
><DT
>2.1. <A
-HREF="#AEN130"
+HREF="#AEN174"
>Discussion</A
></DT
><DT
>2.2. <A
-HREF="#AEN139"
+HREF="#AEN193"
>How browsing functions and how to deploy stable and
dependable browsing using Samba</A
></DT
><DT
>2.3. <A
-HREF="#AEN149"
->Use of the "Remote Announce" parameter</A
+HREF="#AEN207"
+>Use of the <B
+CLASS="COMMAND"
+>Remote Announce</B
+> parameter</A
></DT
><DT
>2.4. <A
-HREF="#AEN163"
->Use of the "Remote Browse Sync" parameter</A
+HREF="#AEN230"
+>Use of the <B
+CLASS="COMMAND"
+>Remote Browse Sync</B
+> parameter</A
></DT
><DT
>2.5. <A
-HREF="#AEN168"
+HREF="#AEN241"
>Use of WINS</A
></DT
><DT
>2.6. <A
-HREF="#AEN179"
+HREF="#AEN255"
>Do NOT use more than one (1) protocol on MS Windows machines</A
></DT
><DT
>2.7. <A
-HREF="#AEN187"
+HREF="#AEN263"
>Name Resolution Order</A
></DT
></DL
@@ -1226,129 +1368,129 @@ HREF="#PASSDB"
><DL
><DT
>3.1. <A
-HREF="#AEN244"
+HREF="#AEN321"
>Introduction</A
></DT
><DT
>3.2. <A
-HREF="#AEN251"
+HREF="#AEN328"
>Important Notes About Security</A
></DT
><DD
><DL
><DT
>3.2.1. <A
-HREF="#AEN277"
+HREF="#AEN354"
>Advantages of SMB Encryption</A
></DT
><DT
>3.2.2. <A
-HREF="#AEN283"
+HREF="#AEN360"
>Advantages of non-encrypted passwords</A
></DT
></DL
></DD
><DT
>3.3. <A
-HREF="#AEN289"
+HREF="#AEN366"
>The smbpasswd Command</A
></DT
><DT
>3.4. <A
-HREF="#AEN320"
+HREF="#AEN397"
>Plain text</A
></DT
><DT
>3.5. <A
-HREF="#AEN325"
+HREF="#AEN402"
>TDB</A
></DT
><DT
>3.6. <A
-HREF="#AEN328"
+HREF="#AEN405"
>LDAP</A
></DT
><DD
><DL
><DT
>3.6.1. <A
-HREF="#AEN330"
+HREF="#AEN407"
>Introduction</A
></DT
><DT
>3.6.2. <A
-HREF="#AEN350"
+HREF="#AEN427"
>Introduction</A
></DT
><DT
>3.6.3. <A
-HREF="#AEN379"
+HREF="#AEN456"
>Supported LDAP Servers</A
></DT
><DT
>3.6.4. <A
-HREF="#AEN384"
+HREF="#AEN461"
>Schema and Relationship to the RFC 2307 posixAccount</A
></DT
><DT
>3.6.5. <A
-HREF="#AEN396"
+HREF="#AEN473"
>Configuring Samba with LDAP</A
></DT
><DT
>3.6.6. <A
-HREF="#AEN443"
+HREF="#AEN520"
>Accounts and Groups management</A
></DT
><DT
>3.6.7. <A
-HREF="#AEN448"
+HREF="#AEN525"
>Security and sambaAccount</A
></DT
><DT
>3.6.8. <A
-HREF="#AEN468"
+HREF="#AEN545"
>LDAP specials attributes for sambaAccounts</A
></DT
><DT
>3.6.9. <A
-HREF="#AEN538"
+HREF="#AEN615"
>Example LDIF Entries for a sambaAccount</A
></DT
></DL
></DD
><DT
>3.7. <A
-HREF="#AEN546"
+HREF="#AEN623"
>MySQL</A
></DT
><DD
><DL
><DT
>3.7.1. <A
-HREF="#AEN548"
+HREF="#AEN625"
>Creating the database</A
></DT
><DT
>3.7.2. <A
-HREF="#AEN558"
+HREF="#AEN635"
>Configuring</A
></DT
><DT
>3.7.3. <A
-HREF="#AEN575"
+HREF="#AEN652"
>Using plaintext passwords or encrypted password</A
></DT
><DT
>3.7.4. <A
-HREF="#AEN580"
+HREF="#AEN657"
>Getting non-column data from the table</A
></DT
></DL
></DD
><DT
>3.8. <A
-HREF="#AEN588"
+HREF="#AEN665"
>XML</A
></DT
></DL
@@ -1368,7 +1510,7 @@ CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN26"
+NAME="AEN65"
>1.1. Obtaining and installing samba</A
></H2
><P
@@ -1389,7 +1531,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN31"
+NAME="AEN70"
>1.2. Configuring samba</A
></H2
><P
@@ -1410,7 +1552,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN36"
+NAME="AEN75"
>1.2.1. Editing the smb.conf file</A
></H3
><P
@@ -1465,7 +1607,7 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN50"
+NAME="AEN89"
>1.2.1.1. Test your config file with
<B
CLASS="COMMAND"
@@ -1496,7 +1638,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN58"
+NAME="AEN97"
>1.2.2. SWAT</A
></H3
><P
@@ -1524,7 +1666,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN64"
+NAME="AEN103"
>1.3. Try listing the shares available on your
server</A
></H2
@@ -1561,7 +1703,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN73"
+NAME="AEN112"
>1.4. Try connecting with the unix client</A
></H2
><P
@@ -1614,7 +1756,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN89"
+NAME="AEN128"
>1.5. Try connecting from a DOS, WfWg, Win9x, WinNT,
Win2k, OS/2, etc... client</A
></H2
@@ -1657,7 +1799,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN103"
+NAME="AEN142"
>1.6. What If Things Don't Work?</A
></H2
><P
@@ -1683,7 +1825,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN108"
+NAME="AEN147"
>1.6.1. Scope IDs</A
></H3
><P
@@ -1699,7 +1841,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN111"
+NAME="AEN150"
>1.6.2. Locking</A
></H3
><P
@@ -1769,15 +1911,39 @@ be taken as the fast track guide to implementing browsing across subnets
and / or across workgroups (or domains). WINS is the best tool for resolution
of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling
except by way of name to address mapping.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
->Note: MS Windows 2000 and later can be configured to operate with NO NetBIOS
+>MS Windows 2000 and later can be configured to operate with NO NetBIOS
over TCP/IP. Samba-3 and later also supports this mode of operation.</P
+></TD
+></TR
+></TABLE
+></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN130"
+NAME="AEN174"
>2.1. Discussion</A
></H2
><P
@@ -1789,29 +1955,63 @@ messaging to affect browse list management. When running NetBIOS over
TCP/IP this uses UDP based messaging. UDP messages can be broadcast or unicast.</P
><P
>Normally, only unicast UDP messaging can be forwarded by routers. The
-"remote announce" parameter to smb.conf helps to project browse announcements
-to remote network segments via unicast UDP. Similarly, the "remote browse sync"
-parameter of smb.conf implements browse list collation using unicast UDP.</P
+<B
+CLASS="COMMAND"
+>remote announce</B
+>
+parameter to smb.conf helps to project browse announcements
+to remote network segments via unicast UDP. Similarly, the
+<B
+CLASS="COMMAND"
+>remote browse sync</B
+> parameter of <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>
+implements browse list collation using unicast UDP.</P
><P
>Secondly, in those networks where Samba is the only SMB server technology
wherever possible nmbd should be configured on one (1) machine as the WINS
server. This makes it easy to manage the browsing environment. If each network
segment is configured with it's own Samba WINS server, then the only way to
-get cross segment browsing to work is by using the "remote announce" and
-the "remote browse sync" parameters to your smb.conf file.</P
+get cross segment browsing to work is by using the
+<B
+CLASS="COMMAND"
+>remote announce</B
+> and the <B
+CLASS="COMMAND"
+>remote browse sync</B
+>
+parameters to your <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file.</P
><P
>If only one WINS server is used for an entire multi-segment network then
-the use of the "remote announce" and the "remote browse sync" parameters
-should NOT be necessary.</P
+the use of the <B
+CLASS="COMMAND"
+>remote announce</B
+> and the
+<B
+CLASS="COMMAND"
+>remote browse sync</B
+> parameters should NOT be necessary.</P
><P
->As of Samba-3 WINS replication is being worked on. The bulk of the code has
+>As of Samba 3 WINS replication is being worked on. The bulk of the code has
been committed, but it still needs maturation.</P
><P
>Right now samba WINS does not support MS-WINS replication. This means that
when setting up Samba as a WINS server there must only be one nmbd configured
as a WINS server on the network. Some sites have used multiple Samba WINS
-servers for redundancy (one server per subnet) and then used "remote browse
-sync" and "remote announce" to affect browse list collation across all
+servers for redundancy (one server per subnet) and then used
+<B
+CLASS="COMMAND"
+>remote browse sync</B
+> and <B
+CLASS="COMMAND"
+>remote announce</B
+>
+to affect browse list collation across all
segments. Note that this means clients will only resolve local names,
and must be configured to use DNS to resolve names on other subnets in
order to resolve the IP addresses of the servers they can see on other
@@ -1828,7 +2028,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN139"
+NAME="AEN193"
>2.2. How browsing functions and how to deploy stable and
dependable browsing using Samba</A
></H2
@@ -1845,7 +2045,11 @@ well as name lookups are done by UDP broadcast. This isolates name
resolution to the local subnet, unless LMHOSTS is used to list all
names and IP addresses. In such situations Samba provides a means by
which the samba server name may be forcibly injected into the browse
-list of a remote MS Windows network (using the "remote announce" parameter).</P
+list of a remote MS Windows network (using the
+<B
+CLASS="COMMAND"
+>remote announce</B
+> parameter).</P
><P
>Where a WINS server is used, the MS Windows client will use UDP
unicast to register with the WINS server. Such packets can be routed
@@ -1873,14 +2077,23 @@ will annoy users because they will have to put up with protracted
inability to use the network services.</P
><P
>Samba supports a feature that allows forced synchonisation
-of browse lists across routed networks using the "remote
-browse sync" parameter in the smb.conf file. This causes Samba
-to contact the local master browser on a remote network and
+of browse lists across routed networks using the <B
+CLASS="COMMAND"
+>remote
+browse sync</B
+> parameter in the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file.
+This causes Samba to contact the local master browser on a remote network and
to request browse list synchronisation. This effectively bridges
two networks that are separated by routers. The two remote
networks may use either broadcast based name resolution or WINS
-based name resolution, but it should be noted that the "remote
-browse sync" parameter provides browse list synchronisation - and
+based name resolution, but it should be noted that the <B
+CLASS="COMMAND"
+>remote
+browse sync</B
+> parameter provides browse list synchronisation - and
that is distinct from name to address resolution, in other
words, for cross subnet browsing to function correctly it is
essential that a name to address resolution mechanism be provided.
@@ -1895,21 +2108,40 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN149"
->2.3. Use of the "Remote Announce" parameter</A
+NAME="AEN207"
+>2.3. Use of the <B
+CLASS="COMMAND"
+>Remote Announce</B
+> parameter</A
></H2
><P
->The "remote announce" parameter of smb.conf can be used to forcibly ensure
+>The <B
+CLASS="COMMAND"
+>remote announce</B
+> parameter of
+<TT
+CLASS="FILENAME"
+>smb.conf</TT
+> can be used to forcibly ensure
that all the NetBIOS names on a network get announced to a remote network.
-The syntax of the "remote announce" parameter is:
+The syntax of the <B
+CLASS="COMMAND"
+>remote announce</B
+> parameter is:
<PRE
CLASS="PROGRAMLISTING"
-> remote announce = a.b.c.d [e.f.g.h] ...</PRE
+> remote announce = <VAR
+CLASS="REPLACEABLE"
+>a.b.c.d [e.f.g.h]</VAR
+> ...</PRE
>
_or_
<PRE
CLASS="PROGRAMLISTING"
-> remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ...</PRE
+> remote announce = <VAR
+CLASS="REPLACEABLE"
+>a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP]</VAR
+> ...</PRE
>
where:
@@ -1919,7 +2151,14 @@ where:
CLASS="VARIABLELIST"
><DL
><DT
->a.b.c.d and e.f.g.h</DT
+><VAR
+CLASS="REPLACEABLE"
+>a.b.c.d</VAR
+> and
+<VAR
+CLASS="REPLACEABLE"
+>e.f.g.h</VAR
+></DT
><DD
><P
>is either the LMB (Local Master Browser) IP address
@@ -1934,7 +2173,10 @@ undesirable but may be necessary if we do NOT know
the IP address of the remote LMB.</P
></DD
><DT
->WORKGROUP</DT
+><VAR
+CLASS="REPLACEABLE"
+>WORKGROUP</VAR
+></DT
><DD
><P
>is optional and can be either our own workgroup
@@ -1953,30 +2195,49 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN163"
->2.4. Use of the "Remote Browse Sync" parameter</A
+NAME="AEN230"
+>2.4. Use of the <B
+CLASS="COMMAND"
+>Remote Browse Sync</B
+> parameter</A
></H2
><P
->The "remote browse sync" parameter of smb.conf is used to announce to
+>The <B
+CLASS="COMMAND"
+>remote browse sync</B
+> parameter of
+<TT
+CLASS="FILENAME"
+>smb.conf</TT
+> is used to announce to
another LMB that it must synchronise it's NetBIOS name list with our
Samba LMB. It works ONLY if the Samba server that has this option is
simultaneously the LMB on it's network segment.</P
><P
->The syntax of the "remote browse sync" parameter is:
+>The syntax of the <B
+CLASS="COMMAND"
+>remote browse sync</B
+> parameter is:
<PRE
CLASS="PROGRAMLISTING"
->remote browse sync = a.b.c.d</PRE
+>remote browse sync = <VAR
+CLASS="REPLACEABLE"
+>a.b.c.d</VAR
+></PRE
>
-where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment.</P
+where <VAR
+CLASS="REPLACEABLE"
+>a.b.c.d</VAR
+> is either the IP address of the remote LMB or else is the network broadcast address of the remote segment.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN168"
+NAME="AEN241"
>2.5. Use of WINS</A
></H2
><P
@@ -2000,7 +2261,11 @@ of all names that have registered the NetLogon service name_type. This saves
broadcast traffic and greatly expedites logon processing. Since broadcast
name resolution can not be used across network segments this type of
information can only be provided via WINS _or_ via statically configured
-"lmhosts" files that must reside on all clients in the absence of WINS.</P
+<TT
+CLASS="FILENAME"
+>lmhosts</TT
+> files that must reside on all clients in the
+absence of WINS.</P
><P
>WINS also serves the purpose of forcing browse list synchronisation by all
LMB's. LMB's must synchronise their browse list with the DMB (domain master
@@ -2018,8 +2283,15 @@ machines that have not registered with a WINS server will fail name to address
lookup attempts by other clients and will therefore cause workstation access
errors.</P
><P
->To configure Samba as a WINS server just add "wins support = yes" to the
-smb.conf file [globals] section.</P
+>To configure Samba as a WINS server just add
+<B
+CLASS="COMMAND"
+>wins support = yes</B
+> to the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>
+file [globals] section.</P
><P
>To configure Samba to register with a WINS server just add
"wins server = a.b.c.d" to your smb.conf file [globals] section.</P
@@ -2039,7 +2311,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN179"
+NAME="AEN255"
>2.6. Do NOT use more than one (1) protocol on MS Windows machines</A
></H2
><P
@@ -2082,7 +2354,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN187"
+NAME="AEN263"
>2.7. Name Resolution Order</A
></H2
><P
@@ -2173,7 +2445,7 @@ CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN244"
+NAME="AEN321"
>3.1. Introduction</A
></H2
><P
@@ -2214,7 +2486,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN251"
+NAME="AEN328"
>3.2. Important Notes About Security</A
></H2
><P
@@ -2377,7 +2649,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN277"
+NAME="AEN354"
>3.2.1. Advantages of SMB Encryption</A
></H3
><P
@@ -2403,7 +2675,7 @@ BORDER="0"
></TR
><TR
><TD
->Encrypted password support allows auto-matic share
+>Encrypted password support allows automatic share
(resource) reconnects.</TD
></TR
></TBODY
@@ -2416,7 +2688,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN283"
+NAME="AEN360"
>3.2.2. Advantages of non-encrypted passwords</A
></H3
><P
@@ -2451,7 +2723,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN289"
+NAME="AEN366"
>3.3. The smbpasswd Command</A
></H2
><P
@@ -2554,7 +2826,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN320"
+NAME="AEN397"
>3.4. Plain text</A
></H2
><P
@@ -2574,7 +2846,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN325"
+NAME="AEN402"
>3.5. TDB</A
></H2
><P
@@ -2587,7 +2859,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN328"
+NAME="AEN405"
>3.6. LDAP</A
></H2
><DIV
@@ -2595,7 +2867,7 @@ CLASS="SECT2"
><H3
CLASS="SECT2"
><A
-NAME="AEN330"
+NAME="AEN407"
>3.6.1. Introduction</A
></H3
><P
@@ -2663,7 +2935,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN350"
+NAME="AEN427"
>3.6.2. Introduction</A
></H3
><P
@@ -2772,7 +3044,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN379"
+NAME="AEN456"
>3.6.3. Supported LDAP Servers</A
></H3
><P
@@ -2783,12 +3055,12 @@ and client SDK. However, due to lack of testing so far, there are bound
to be compile errors and bugs. These should not be hard to fix.
If you are so inclined, please be sure to forward all patches to
<A
-HREF="samba-patches@samba.org"
+HREF="mailto:samba-patches@samba.org"
TARGET="_top"
>samba-patches@samba.org</A
> and
<A
-HREF="jerry@samba.org"
+HREF="mailto:jerry@samba.org"
TARGET="_top"
>jerry@samba.org</A
>.</P
@@ -2798,7 +3070,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN384"
+NAME="AEN461"
>3.6.4. Schema and Relationship to the RFC 2307 posixAccount</A
></H3
><P
@@ -2823,7 +3095,7 @@ CLASS="PROGRAMLISTING"
owned by the Samba Team and as such is legal to be openly published.
If you translate the schema to be used with Netscape DS, please
submit the modified schema file as a patch to <A
-HREF="jerry@samba.org"
+HREF="mailto:jerry@samba.org"
TARGET="_top"
>jerry@samba.org</A
></P
@@ -2855,7 +3127,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN396"
+NAME="AEN473"
>3.6.5. Configuring Samba with LDAP</A
></H3
><DIV
@@ -2863,7 +3135,7 @@ CLASS="SECT3"
><H4
CLASS="SECT3"
><A
-NAME="AEN398"
+NAME="AEN475"
>3.6.5.1. OpenLDAP configuration</A
></H4
><P
@@ -2873,9 +3145,9 @@ server, first copy the samba.schema file to slapd's configuration directory.</P
><SAMP
CLASS="PROMPT"
>root# </SAMP
-><B
-CLASS="COMMAND"
->cp samba.schema /etc/openldap/schema/</B
+><KBD
+CLASS="USERINPUT"
+>cp samba.schema /etc/openldap/schema/</KBD
></P
><P
>Next, include the <TT
@@ -2945,7 +3217,7 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN415"
+NAME="AEN492"
>3.6.5.2. Configuring Samba</A
></H4
><P
@@ -3061,7 +3333,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN443"
+NAME="AEN520"
>3.6.6. Accounts and Groups management</A
></H3
><P
@@ -3086,7 +3358,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN448"
+NAME="AEN525"
>3.6.7. Security and sambaAccount</A
></H3
><P
@@ -3165,7 +3437,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN468"
+NAME="AEN545"
>3.6.8. LDAP specials attributes for sambaAccounts</A
></H3
><P
@@ -3372,7 +3644,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN538"
+NAME="AEN615"
>3.6.9. Example LDIF Entries for a sambaAccount</A
></H3
><P
@@ -3431,7 +3703,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN546"
+NAME="AEN623"
>3.7. MySQL</A
></H2
><DIV
@@ -3439,7 +3711,7 @@ CLASS="SECT2"
><H3
CLASS="SECT2"
><A
-NAME="AEN548"
+NAME="AEN625"
>3.7.1. Creating the database</A
></H3
><P
@@ -3475,7 +3747,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN558"
+NAME="AEN635"
>3.7.2. Configuring</A
></H3
><P
@@ -3586,7 +3858,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN575"
+NAME="AEN652"
>3.7.3. Using plaintext passwords or encrypted password</A
></H3
><P
@@ -3601,7 +3873,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN580"
+NAME="AEN657"
>3.7.4. Getting non-column data from the table</A
></H3
><P
@@ -3627,7 +3899,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN588"
+NAME="AEN665"
>3.8. XML</A
></H2
><P
@@ -3635,17 +3907,17 @@ NAME="AEN588"
><P
>The usage of pdb_xml is pretty straightforward. To export data, use:
-<B
-CLASS="COMMAND"
->pdbedit -e xml:filename</B
+<KBD
+CLASS="USERINPUT"
+>pdbedit -e xml:filename</KBD
>
(where filename is the name of the file to put the data in)</P
><P
>To import data, use:
-<B
-CLASS="COMMAND"
->pdbedit -i xml:filename -e current-pdb</B
+<KBD
+CLASS="USERINPUT"
+>pdbedit -i xml:filename -e current-pdb</KBD
>
Where filename is the name to read the data from and current-pdb to put it in.</P
@@ -3665,7 +3937,7 @@ CLASS="TITLE"
><DIV
CLASS="PARTINTRO"
><A
-NAME="AEN597"
+NAME="AEN674"
></A
><H1
>Introduction</H1
@@ -3689,24 +3961,24 @@ HREF="#SERVERTYPE"
><DL
><DT
>4.1. <A
-HREF="#AEN626"
+HREF="#AEN703"
>Stand Alone Server</A
></DT
><DT
>4.2. <A
-HREF="#AEN633"
+HREF="#AEN710"
>Domain Member Server</A
></DT
><DT
>4.3. <A
-HREF="#AEN639"
+HREF="#AEN716"
>Domain Controller</A
></DT
><DD
><DL
><DT
>4.3.1. <A
-HREF="#AEN642"
+HREF="#AEN719"
>Domain Controller Types</A
></DT
></DL
@@ -3722,34 +3994,34 @@ HREF="#SECURITYLEVELS"
><DL
><DT
>5.1. <A
-HREF="#AEN668"
+HREF="#AEN752"
>User and Share security level</A
></DT
><DD
><DL
><DT
>5.1.1. <A
-HREF="#AEN671"
+HREF="#AEN755"
>User Level Security</A
></DT
><DT
>5.1.2. <A
-HREF="#AEN681"
+HREF="#AEN765"
>Share Level Security</A
></DT
><DT
>5.1.3. <A
-HREF="#AEN685"
+HREF="#AEN769"
>Server Level Security</A
></DT
><DT
>5.1.4. <A
-HREF="#AEN724"
+HREF="#AEN808"
>Domain Level Security</A
></DT
><DT
>5.1.5. <A
-HREF="#AEN745"
+HREF="#AEN829"
>ADS Level Security</A
></DT
></DL
@@ -3765,63 +4037,63 @@ HREF="#SAMBA-PDC"
><DL
><DT
>6.1. <A
-HREF="#AEN772"
+HREF="#AEN859"
>Prerequisite Reading</A
></DT
><DT
>6.2. <A
-HREF="#AEN777"
+HREF="#AEN864"
>Background</A
></DT
><DT
>6.3. <A
-HREF="#AEN817"
+HREF="#AEN904"
>Configuring the Samba Domain Controller</A
></DT
><DT
>6.4. <A
-HREF="#AEN859"
+HREF="#AEN946"
>Creating Machine Trust Accounts and Joining Clients to the Domain</A
></DT
><DD
><DL
><DT
>6.4.1. <A
-HREF="#AEN902"
+HREF="#AEN989"
>Manual Creation of Machine Trust Accounts</A
></DT
><DT
>6.4.2. <A
-HREF="#AEN943"
+HREF="#AEN1030"
>"On-the-Fly" Creation of Machine Trust Accounts</A
></DT
><DT
>6.4.3. <A
-HREF="#AEN952"
+HREF="#AEN1039"
>Joining the Client to the Domain</A
></DT
></DL
></DD
><DT
>6.5. <A
-HREF="#AEN967"
+HREF="#AEN1054"
>Common Problems and Errors</A
></DT
><DT
>6.6. <A
-HREF="#AEN1013"
+HREF="#AEN1100"
>What other help can I get?</A
></DT
><DT
>6.7. <A
-HREF="#AEN1127"
+HREF="#AEN1214"
>Domain Control for Windows 9x/ME</A
></DT
><DD
><DL
><DT
>6.7.1. <A
-HREF="#AEN1150"
+HREF="#AEN1237"
>Configuration Instructions: Network Logons</A
></DT
></DL
@@ -3837,53 +4109,53 @@ HREF="#SAMBA-BDC"
><DL
><DT
>7.1. <A
-HREF="#AEN1180"
+HREF="#AEN1267"
>Prerequisite Reading</A
></DT
><DT
>7.2. <A
-HREF="#AEN1184"
+HREF="#AEN1271"
>Background</A
></DT
><DT
>7.3. <A
-HREF="#AEN1192"
+HREF="#AEN1279"
>What qualifies a Domain Controller on the network?</A
></DT
><DD
><DL
><DT
>7.3.1. <A
-HREF="#AEN1195"
+HREF="#AEN1282"
>How does a Workstation find its domain controller?</A
></DT
><DT
>7.3.2. <A
-HREF="#AEN1198"
+HREF="#AEN1285"
>When is the PDC needed?</A
></DT
></DL
></DD
><DT
>7.4. <A
-HREF="#AEN1201"
+HREF="#AEN1288"
>Can Samba be a Backup Domain Controller to an NT PDC?</A
></DT
><DT
>7.5. <A
-HREF="#AEN1206"
+HREF="#AEN1293"
>How do I set up a Samba BDC?</A
></DT
><DD
><DL
><DT
>7.5.1. <A
-HREF="#AEN1223"
+HREF="#AEN1310"
>How do I replicate the smbpasswd file?</A
></DT
><DT
>7.5.2. <A
-HREF="#AEN1227"
+HREF="#AEN1314"
>Can I do this all with LDAP?</A
></DT
></DL
@@ -3899,7 +4171,7 @@ HREF="#ADS"
><DL
><DT
>8.1. <A
-HREF="#AEN1238"
+HREF="#AEN1336"
>Setup your <TT
CLASS="FILENAME"
>smb.conf</TT
@@ -3907,7 +4179,7 @@ CLASS="FILENAME"
></DT
><DT
>8.2. <A
-HREF="#AEN1249"
+HREF="#AEN1349"
>Setup your <TT
CLASS="FILENAME"
>/etc/krb5.conf</TT
@@ -3915,31 +4187,31 @@ CLASS="FILENAME"
></DT
><DT
>8.3. <A
-HREF="#AEN1260"
+HREF="#ADS-CREATE-MACHINE-ACCOUNT"
>Create the computer account</A
></DT
><DD
><DL
><DT
>8.3.1. <A
-HREF="#AEN1264"
+HREF="#AEN1373"
>Possible errors</A
></DT
></DL
></DD
><DT
>8.4. <A
-HREF="#AEN1272"
+HREF="#ADS-TEST-SERVER"
>Test your server setup</A
></DT
><DT
>8.5. <A
-HREF="#AEN1277"
+HREF="#ADS-TEST-SMBCLIENT"
>Testing with smbclient</A
></DT
><DT
>8.6. <A
-HREF="#AEN1280"
+HREF="#AEN1390"
>Notes</A
></DT
></DL
@@ -3953,12 +4225,12 @@ HREF="#DOMAIN-SECURITY"
><DL
><DT
>9.1. <A
-HREF="#AEN1302"
+HREF="#AEN1413"
>Joining an NT Domain with Samba 3.0</A
></DT
><DT
>9.2. <A
-HREF="#AEN1356"
+HREF="#AEN1467"
>Why is this better than security = server?</A
></DT
></DL
@@ -4017,7 +4289,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN626"
+NAME="AEN703"
>4.1. Stand Alone Server</A
></H2
><P
@@ -4060,7 +4332,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN633"
+NAME="AEN710"
>4.2. Domain Member Server</A
></H2
><P
@@ -4068,8 +4340,7 @@ NAME="AEN633"
of a domain security context. This means by definition that all user authentication
will be done from a centrally defined authentication regime. The authentication
regime may come from an NT3/4 style (old domain technology) server, or it may be
-provided from an Active Directory server (ADS) running on MS Windows 2000 or later.
->/para> </P
+provided from an Active Directory server (ADS) running on MS Windows 2000 or later.</P
><P
><SPAN
CLASS="emphasis"
@@ -4091,7 +4362,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN639"
+NAME="AEN716"
>4.3. Domain Controller</A
></H2
><P
@@ -4103,7 +4374,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN642"
+NAME="AEN719"
>4.3.1. Domain Controller Types</A
></H3
><P
@@ -4197,7 +4468,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN668"
+NAME="AEN752"
>5.1. User and Share security level</A
></H2
><P
@@ -4215,7 +4486,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN671"
+NAME="AEN755"
>5.1.1. User Level Security</A
></H3
><P
@@ -4256,7 +4527,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN681"
+NAME="AEN765"
>5.1.2. Share Level Security</A
></H3
><P
@@ -4287,7 +4558,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN685"
+NAME="AEN769"
>5.1.3. Server Level Security</A
></H3
><P
@@ -4323,7 +4594,7 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN690"
+NAME="AEN774"
>5.1.3.1. Configuring Samba for Seemless Windows Network Integration</A
></H4
><P
@@ -4435,7 +4706,7 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN716"
+NAME="AEN800"
>5.1.3.2. Use MS Windows NT as an authentication server</A
></H4
><P
@@ -4471,7 +4742,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN724"
+NAME="AEN808"
>5.1.4. Domain Level Security</A
></H3
><P
@@ -4489,7 +4760,7 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN728"
+NAME="AEN812"
>5.1.4.1. Samba as a member of an MS Windows NT security domain</A
></H4
><P
@@ -4552,7 +4823,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN745"
+NAME="AEN829"
>5.1.5. ADS Level Security</A
></H3
><P
@@ -4579,7 +4850,7 @@ CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN772"
+NAME="AEN859"
>6.1. Prerequisite Reading</A
></H2
><P
@@ -4602,7 +4873,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN777"
+NAME="AEN864"
>6.2. Background</A
></H2
><P
@@ -4749,7 +5020,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN817"
+NAME="AEN904"
>6.3. Configuring the Samba Domain Controller</A
></H2
><P
@@ -4912,8 +5183,7 @@ TARGET="_top"
><P
> Encrypted passwords must be enabled. For more details on how
to do this, refer to <A
-HREF="ENCRYPTION.html"
-TARGET="_top"
+HREF="#PASSDB"
>ENCRYPTION.html</A
>.
</P
@@ -4946,7 +5216,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN859"
+NAME="AEN946"
>6.4. Creating Machine Trust Accounts and Joining Clients to the Domain</A
></H2
><P
@@ -5132,7 +5402,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN902"
+NAME="AEN989"
>6.4.1. Manual Creation of Machine Trust Accounts</A
></H3
><P
@@ -5302,7 +5572,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN943"
+NAME="AEN1030"
>6.4.2. "On-the-Fly" Creation of Machine Trust Accounts</A
></H3
><P
@@ -5339,7 +5609,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN952"
+NAME="AEN1039"
>6.4.3. Joining the Client to the Domain</A
></H3
><P
@@ -5407,7 +5677,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN967"
+NAME="AEN1054"
>6.5. Common Problems and Errors</A
></H2
><P
@@ -5606,7 +5876,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1013"
+NAME="AEN1100"
>6.6. What other help can I get?</A
></H2
><P
@@ -6026,7 +6296,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1127"
+NAME="AEN1214"
>6.7. Domain Control for Windows 9x/ME</A
></H2
><P
@@ -6125,7 +6395,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1150"
+NAME="AEN1237"
>6.7.1. Configuration Instructions: Network Logons</A
></H3
><P
@@ -6240,7 +6510,7 @@ CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN1180"
+NAME="AEN1267"
>7.1. Prerequisite Reading</A
></H2
><P
@@ -6257,7 +6527,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1184"
+NAME="AEN1271"
>7.2. Background</A
></H2
><P
@@ -6302,7 +6572,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1192"
+NAME="AEN1279"
>7.3. What qualifies a Domain Controller on the network?</A
></H2
><P
@@ -6319,7 +6589,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1195"
+NAME="AEN1282"
>7.3.1. How does a Workstation find its domain controller?</A
></H3
><P
@@ -6338,7 +6608,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1198"
+NAME="AEN1285"
>7.3.2. When is the PDC needed?</A
></H3
><P
@@ -6354,7 +6624,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1201"
+NAME="AEN1288"
>7.4. Can Samba be a Backup Domain Controller to an NT PDC?</A
></H2
><P
@@ -6377,7 +6647,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1206"
+NAME="AEN1293"
>7.5. How do I set up a Samba BDC?</A
></H2
><P
@@ -6444,7 +6714,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1223"
+NAME="AEN1310"
>7.5.1. How do I replicate the smbpasswd file?</A
></H3
><P
@@ -6465,7 +6735,7 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1227"
+NAME="AEN1314"
>7.5.2. Can I do this all with LDAP?</A
></H3
><P
@@ -6492,7 +6762,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1238"
+NAME="AEN1336"
>8.1. Setup your <TT
CLASS="FILENAME"
>smb.conf</TT
@@ -6520,26 +6790,57 @@ CLASS="FILENAME"
CLASS="PROGRAMLISTING"
> ads server = your.kerberos.server</PRE
></P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
>You do *not* need a smbpasswd file, and older clients will
- be authenticated as if "security = domain", although it won't do any harm
+ be authenticated as if <B
+CLASS="COMMAND"
+>security = domain</B
+>,
+ although it won't do any harm
and allows you to have local users not in the domain.
I expect that the above required options will change soon when we get better
active directory integration.</P
+></TD
+></TR
+></TABLE
+></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1249"
+NAME="AEN1349"
>8.2. Setup your <TT
CLASS="FILENAME"
>/etc/krb5.conf</TT
></A
></H2
><P
->The minimal configuration for krb5.conf is:</P
+>The minimal configuration for <TT
+CLASS="FILENAME"
+>krb5.conf</TT
+> is:</P
><P
><PRE
CLASS="PROGRAMLISTING"
@@ -6549,10 +6850,43 @@ CLASS="PROGRAMLISTING"
}</PRE
></P
><P
->Test your config by doing a "kinit USERNAME@REALM" and making sure that
+>Test your config by doing a <KBD
+CLASS="USERINPUT"
+>kinit <VAR
+CLASS="REPLACEABLE"
+>USERNAME</VAR
+>@<VAR
+CLASS="REPLACEABLE"
+>REALM</VAR
+></KBD
+> and making sure that
your password is accepted by the Win2000 KDC. </P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
->NOTE: The realm must be uppercase. </P
+>The realm must be uppercase. </P
+></TD
+></TR
+></TABLE
+></DIV
><P
>You also must ensure that you can do a reverse DNS lookup on the IP
address of your KDC. Also, the name that this reverse lookup maps to
@@ -6560,13 +6894,28 @@ must either be the netbios name of the KDC (ie. the hostname with no
domain attached) or it can alternatively be the netbios name
followed by the realm. </P
><P
->The easiest way to ensure you get this right is to add a /etc/hosts
-entry mapping the IP address of your KDC to its netbios name. If you
-don't get this right then you will get a "local error" when you try
-to join the realm.</P
-><P
+>The easiest way to ensure you get this right is to add a
+<TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+> entry mapping the IP address of your KDC to
+its netbios name. If you don't get this right then you will get a
+"local error" when you try to join the realm.</P
+><P
>If all you want is kerberos support in smbclient then you can skip
-straight to step 5 now. Step 3 is only needed if you want kerberos
+straight to <A
+HREF="#ADS-TEST-SMBCLIENT"
+>Test with smbclient</A
+> now.
+<A
+HREF="#ADS-CREATE-MACHINE-ACCOUNT"
+>Creating a computer account</A
+>
+and <A
+HREF="#ADS-TEST-SERVER"
+>testing your servers</A
+>
+is only needed if you want kerberos
support for smbd and winbindd.</P
></DIV
><DIV
@@ -6574,22 +6923,22 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1260"
+NAME="ADS-CREATE-MACHINE-ACCOUNT"
>8.3. Create the computer account</A
></H2
><P
>As a user that has write permission on the Samba private directory
(usually root) run:
-<B
-CLASS="COMMAND"
->net ads join</B
+<KBD
+CLASS="USERINPUT"
+>net ads join</KBD
></P
><DIV
CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1264"
+NAME="AEN1373"
>8.3.1. Possible errors</A
></H3
><P
@@ -6614,18 +6963,18 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1272"
+NAME="ADS-TEST-SERVER"
>8.4. Test your server setup</A
></H2
><P
->On a Windows 2000 client try <B
-CLASS="COMMAND"
->net use * \\server\share</B
+>On a Windows 2000 client try <KBD
+CLASS="USERINPUT"
+>net use * \\server\share</KBD
>. You should
be logged in with kerberos without needing to know a password. If
-this fails then run <B
-CLASS="COMMAND"
->klist tickets</B
+this fails then run <KBD
+CLASS="USERINPUT"
+>klist tickets</KBD
>. Did you get a ticket for the
server? Does it have an encoding type of DES-CBC-MD5 ? </P
></DIV
@@ -6634,20 +6983,23 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1277"
+NAME="ADS-TEST-SMBCLIENT"
>8.5. Testing with smbclient</A
></H2
><P
>On your Samba server try to login to a Win2000 server or your Samba
server using smbclient and kerberos. Use smbclient as usual, but
-specify the -k option to choose kerberos authentication.</P
+specify the <VAR
+CLASS="PARAMETER"
+>-k</VAR
+> option to choose kerberos authentication.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1280"
+NAME="AEN1390"
>8.6. Notes</A
></H2
><P
@@ -6670,7 +7022,7 @@ CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN1302"
+NAME="AEN1413"
>9.1. Joining an NT Domain with Samba 3.0</A
></H2
><P
@@ -6853,7 +7205,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1356"
+NAME="AEN1467"
>9.2. Why is this better than security = server?</A
></H2
><P
@@ -6965,7 +7317,7 @@ CLASS="TITLE"
><DIV
CLASS="PARTINTRO"
><A
-NAME="AEN1374"
+NAME="AEN1485"
></A
><H1
>Introduction</H1
@@ -6982,234 +7334,195 @@ CLASS="TOC"
></DT
><DT
>10. <A
-HREF="#ADVANCEDNETWORKMANAGEMENT"
->Advanced Network Manangement Information</A
-></DT
-><DD
-><DL
-><DT
->10.1. <A
-HREF="#AEN1388"
->Remote Server Administration</A
-></DT
-></DL
-></DD
-><DT
->11. <A
HREF="#UNIX-PERMISSIONS"
>UNIX Permission Bits and Windows NT Access Control Lists</A
></DT
><DD
><DL
><DT
->11.1. <A
-HREF="#AEN1416"
+>10.1. <A
+HREF="#AEN1499"
>Viewing and changing UNIX permissions using the NT
security dialogs</A
></DT
><DT
->11.2. <A
-HREF="#AEN1420"
+>10.2. <A
+HREF="#AEN1505"
>How to view file security on a Samba share</A
></DT
><DT
->11.3. <A
-HREF="#AEN1431"
+>10.3. <A
+HREF="#AEN1516"
>Viewing file ownership</A
></DT
><DT
->11.4. <A
-HREF="#AEN1451"
+>10.4. <A
+HREF="#AEN1536"
>Viewing file or directory permissions</A
></DT
><DD
><DL
><DT
->11.4.1. <A
-HREF="#AEN1466"
+>10.4.1. <A
+HREF="#AEN1551"
>File Permissions</A
></DT
><DT
->11.4.2. <A
-HREF="#AEN1480"
+>10.4.2. <A
+HREF="#AEN1565"
>Directory Permissions</A
></DT
></DL
></DD
><DT
->11.5. <A
-HREF="#AEN1487"
+>10.5. <A
+HREF="#AEN1572"
>Modifying file or directory permissions</A
></DT
><DT
->11.6. <A
-HREF="#AEN1509"
+>10.6. <A
+HREF="#AEN1594"
>Interaction with the standard Samba create mask
parameters</A
></DT
><DT
->11.7. <A
-HREF="#AEN1563"
+>10.7. <A
+HREF="#AEN1648"
>Interaction with the standard Samba file attribute
mapping</A
></DT
></DL
></DD
><DT
->12. <A
+>11. <A
HREF="#GROUPMAPPING"
->Group mapping HOWTO</A
-></DT
-><DT
->13. <A
-HREF="#PAM"
->Configuring PAM for distributed but centrally
-managed authentication</A
-></DT
-><DD
-><DL
-><DT
->13.1. <A
-HREF="#AEN1619"
->Samba and PAM</A
-></DT
-><DT
->13.2. <A
-HREF="#AEN1668"
->Distributed Authentication</A
-></DT
-><DT
->13.3. <A
-HREF="#AEN1673"
->PAM Configuration in smb.conf</A
+>Configuring Group Mapping</A
></DT
-></DL
-></DD
><DT
->14. <A
+>12. <A
HREF="#PRINTING"
>Printing Support</A
></DT
><DD
><DL
><DT
->14.1. <A
-HREF="#AEN1699"
+>12.1. <A
+HREF="#AEN1711"
>Introduction</A
></DT
><DT
->14.2. <A
-HREF="#AEN1721"
+>12.2. <A
+HREF="#AEN1733"
>Configuration</A
></DT
><DD
><DL
><DT
->14.2.1. <A
-HREF="#AEN1729"
+>12.2.1. <A
+HREF="#AEN1741"
>Creating [print$]</A
></DT
><DT
->14.2.2. <A
-HREF="#AEN1764"
+>12.2.2. <A
+HREF="#AEN1776"
>Setting Drivers for Existing Printers</A
></DT
><DT
->14.2.3. <A
-HREF="#AEN1780"
+>12.2.3. <A
+HREF="#AEN1792"
>Support a large number of printers</A
></DT
><DT
->14.2.4. <A
-HREF="#AEN1791"
+>12.2.4. <A
+HREF="#AEN1807"
>Adding New Printers via the Windows NT APW</A
></DT
><DT
->14.2.5. <A
-HREF="#AEN1821"
+>12.2.5. <A
+HREF="#AEN1837"
>Samba and Printer Ports</A
></DT
></DL
></DD
><DT
->14.3. <A
-HREF="#AEN1829"
+>12.3. <A
+HREF="#AEN1845"
>The Imprints Toolset</A
></DT
><DD
><DL
><DT
->14.3.1. <A
-HREF="#AEN1833"
+>12.3.1. <A
+HREF="#AEN1849"
>What is Imprints?</A
></DT
><DT
->14.3.2. <A
-HREF="#AEN1843"
+>12.3.2. <A
+HREF="#AEN1859"
>Creating Printer Driver Packages</A
></DT
><DT
->14.3.3. <A
-HREF="#AEN1846"
+>12.3.3. <A
+HREF="#AEN1862"
>The Imprints server</A
></DT
><DT
->14.3.4. <A
-HREF="#AEN1850"
+>12.3.4. <A
+HREF="#AEN1866"
>The Installation Client</A
></DT
></DL
></DD
><DT
->14.4. <A
-HREF="#AEN1872"
+>12.4. <A
+HREF="#AEN1888"
>Diagnosis</A
></DT
><DD
><DL
><DT
->14.4.1. <A
-HREF="#AEN1874"
+>12.4.1. <A
+HREF="#AEN1890"
>Introduction</A
></DT
><DT
->14.4.2. <A
-HREF="#AEN1890"
+>12.4.2. <A
+HREF="#AEN1906"
>Debugging printer problems</A
></DT
><DT
->14.4.3. <A
-HREF="#AEN1899"
+>12.4.3. <A
+HREF="#AEN1915"
>What printers do I have?</A
></DT
><DT
->14.4.4. <A
-HREF="#AEN1907"
+>12.4.4. <A
+HREF="#AEN1923"
>Setting up printcap and print servers</A
></DT
><DT
->14.4.5. <A
-HREF="#AEN1935"
+>12.4.5. <A
+HREF="#AEN1951"
>Job sent, no output</A
></DT
><DT
->14.4.6. <A
-HREF="#AEN1946"
+>12.4.6. <A
+HREF="#AEN1962"
>Job sent, strange output</A
></DT
><DT
->14.4.7. <A
-HREF="#AEN1958"
+>12.4.7. <A
+HREF="#AEN1974"
>Raw PostScript printed</A
></DT
><DT
->14.4.8. <A
-HREF="#AEN1961"
+>12.4.8. <A
+HREF="#AEN1977"
>Advanced Printing</A
></DT
><DT
->14.4.9. <A
-HREF="#AEN1964"
+>12.4.9. <A
+HREF="#AEN1980"
>Real debugging</A
></DT
></DL
@@ -7217,434 +7530,465 @@ HREF="#AEN1964"
></DL
></DD
><DT
->15. <A
+>13. <A
HREF="#CUPS-PRINTING"
>CUPS Printing Support</A
></DT
><DD
><DL
><DT
->15.1. <A
-HREF="#AEN1984"
+>13.1. <A
+HREF="#AEN2000"
>Introduction</A
></DT
><DT
->15.2. <A
-HREF="#AEN1989"
->CUPS - RAW Print Through Mode</A
+>13.2. <A
+HREF="#AEN2007"
+>Configuring <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> for CUPS</A
></DT
><DT
->15.3. <A
-HREF="#AEN2044"
->The CUPS Filter Chains</A
+>13.3. <A
+HREF="#AEN2026"
+>CUPS - RAW Print Through Mode</A
></DT
><DT
->15.4. <A
+>13.4. <A
HREF="#AEN2083"
+>CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe
+PostScript driver with CUPS-PPDs downloaded to clients</A
+></DT
+><DT
+>13.5. <A
+HREF="#AEN2104"
+>Windows Terminal Servers (WTS) as CUPS clients</A
+></DT
+><DT
+>13.6. <A
+HREF="#AEN2108"
+>Setting up CUPS for driver download</A
+></DT
+><DT
+>13.7. <A
+HREF="#AEN2120"
+>Sources of CUPS drivers / PPDs</A
+></DT
+><DD
+><DL
+><DT
+>13.7.1. <A
+HREF="#AEN2147"
+><B
+CLASS="COMMAND"
+>cupsaddsmb</B
+></A
+></DT
+></DL
+></DD
+><DT
+>13.8. <A
+HREF="#AEN2176"
+>The CUPS Filter Chains</A
+></DT
+><DT
+>13.9. <A
+HREF="#AEN2215"
>CUPS Print Drivers and Devices</A
></DT
><DD
><DL
><DT
->15.4.1. <A
-HREF="#AEN2090"
+>13.9.1. <A
+HREF="#AEN2222"
>Further printing steps</A
></DT
></DL
></DD
><DT
->15.5. <A
-HREF="#AEN2160"
+>13.10. <A
+HREF="#AEN2292"
>Limiting the number of pages users can print</A
></DT
><DT
->15.6. <A
-HREF="#AEN2249"
+>13.11. <A
+HREF="#AEN2388"
>Advanced Postscript Printing from MS Windows</A
></DT
><DT
->15.7. <A
-HREF="#AEN2264"
+>13.12. <A
+HREF="#AEN2403"
>Auto-Deletion of CUPS spool files</A
></DT
></DL
></DD
><DT
->16. <A
+>14. <A
HREF="#WINBIND"
>Unified Logons between Windows NT and UNIX using Winbind</A
></DT
><DD
><DL
><DT
->16.1. <A
-HREF="#AEN2326"
+>14.1. <A
+HREF="#AEN2469"
>Abstract</A
></DT
><DT
->16.2. <A
-HREF="#AEN2330"
+>14.2. <A
+HREF="#AEN2473"
>Introduction</A
></DT
><DT
->16.3. <A
-HREF="#AEN2343"
+>14.3. <A
+HREF="#AEN2486"
>What Winbind Provides</A
></DT
><DD
><DL
><DT
->16.3.1. <A
-HREF="#AEN2350"
+>14.3.1. <A
+HREF="#AEN2493"
>Target Uses</A
></DT
></DL
></DD
><DT
->16.4. <A
-HREF="#AEN2354"
+>14.4. <A
+HREF="#AEN2497"
>How Winbind Works</A
></DT
><DD
><DL
><DT
->16.4.1. <A
-HREF="#AEN2359"
+>14.4.1. <A
+HREF="#AEN2502"
>Microsoft Remote Procedure Calls</A
></DT
><DT
->16.4.2. <A
-HREF="#AEN2363"
+>14.4.2. <A
+HREF="#AEN2506"
>Microsoft Active Directory Services</A
></DT
><DT
->16.4.3. <A
-HREF="#AEN2366"
+>14.4.3. <A
+HREF="#AEN2509"
>Name Service Switch</A
></DT
><DT
->16.4.4. <A
-HREF="#AEN2382"
+>14.4.4. <A
+HREF="#AEN2525"
>Pluggable Authentication Modules</A
></DT
><DT
->16.4.5. <A
-HREF="#AEN2390"
+>14.4.5. <A
+HREF="#AEN2533"
>User and Group ID Allocation</A
></DT
><DT
->16.4.6. <A
-HREF="#AEN2394"
+>14.4.6. <A
+HREF="#AEN2537"
>Result Caching</A
></DT
></DL
></DD
><DT
->16.5. <A
-HREF="#AEN2397"
+>14.5. <A
+HREF="#AEN2540"
>Installation and Configuration</A
></DT
><DD
><DL
><DT
->16.5.1. <A
-HREF="#AEN2402"
+>14.5.1. <A
+HREF="#AEN2545"
>Introduction</A
></DT
><DT
->16.5.2. <A
-HREF="#AEN2415"
+>14.5.2. <A
+HREF="#AEN2558"
>Requirements</A
></DT
><DT
->16.5.3. <A
-HREF="#AEN2429"
+>14.5.3. <A
+HREF="#AEN2572"
>Testing Things Out</A
></DT
></DL
></DD
><DT
->16.6. <A
-HREF="#AEN2654"
+>14.6. <A
+HREF="#AEN2797"
>Limitations</A
></DT
><DT
->16.7. <A
-HREF="#AEN2664"
+>14.7. <A
+HREF="#AEN2807"
>Conclusion</A
></DT
></DL
></DD
><DT
->17. <A
-HREF="#POLICYMGMT"
->Policy Management - Hows and Whys</A
+>15. <A
+HREF="#ADVANCEDNETWORKMANAGEMENT"
+>Advanced Network Manangement</A
></DT
><DD
><DL
><DT
->17.1. <A
-HREF="#AEN2678"
->System Policies</A
+>15.1. <A
+HREF="#AEN2822"
+>Configuring Samba Share Access Controls</A
></DT
><DD
><DL
><DT
->17.1.1. <A
-HREF="#AEN2692"
->Creating and Managing Windows 9x/Me Policies</A
+>15.1.1. <A
+HREF="#AEN2832"
+>Share Permissions Management</A
></DT
+></DL
+></DD
><DT
->17.1.2. <A
-HREF="#AEN2704"
->Creating and Managing Windows NT4 Style Policy Files</A
+>15.2. <A
+HREF="#AEN2860"
+>Remote Server Administration</A
></DT
><DT
->17.1.3. <A
-HREF="#AEN2722"
->Creating and Managing MS Windows 200x Policies</A
+>15.3. <A
+HREF="#AEN2877"
+>Network Logon Script Magic</A
></DT
></DL
></DD
-></DL
-></DD
><DT
->18. <A
-HREF="#PROFILEMGMT"
->Profile Management</A
+>16. <A
+HREF="#POLICYMGMT"
+>System and Account Policies</A
></DT
><DD
><DL
><DT
->18.1. <A
-HREF="#AEN2761"
->Roaming Profiles</A
+>16.1. <A
+HREF="#AEN2892"
+>Creating and Managing System Policies</A
></DT
><DD
><DL
><DT
->18.1.1. <A
-HREF="#AEN2769"
->Windows NT Configuration</A
-></DT
-><DT
->18.1.2. <A
-HREF="#AEN2778"
->Windows 9X Configuration</A
+>16.1.1. <A
+HREF="#AEN2906"
+>Windows 9x/Me Policies</A
></DT
><DT
->18.1.3. <A
-HREF="#AEN2786"
->Win9X and WinNT Configuration</A
+>16.1.2. <A
+HREF="#AEN2918"
+>Windows NT4 Style Policy Files</A
></DT
><DT
->18.1.4. <A
-HREF="#AEN2793"
->Windows 9X Profile Setup</A
-></DT
-><DT
->18.1.5. <A
-HREF="#AEN2829"
->Windows NT Workstation 4.0</A
-></DT
-><DT
->18.1.6. <A
-HREF="#AEN2837"
->Windows NT/200x Server</A
+>16.1.3. <A
+HREF="#AEN2936"
+>MS Windows 200x / XP Professional Policies</A
></DT
+></DL
+></DD
><DT
->18.1.7. <A
-HREF="#AEN2840"
->Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A
+>16.2. <A
+HREF="#AEN2965"
+>Managing Account/User Policies</A
></DT
+><DD
+><DL
><DT
->18.1.8. <A
-HREF="#AEN2847"
->Windows NT 4</A
+>16.2.1. <A
+HREF="#AEN2980"
+>With Windows NT4/200x</A
></DT
><DT
->18.1.9. <A
-HREF="#AEN2885"
->Windows 2000/XP</A
+>16.2.2. <A
+HREF="#AEN2983"
+>With a Samba PDC</A
></DT
></DL
></DD
></DL
></DD
><DT
->19. <A
-HREF="#INTEGRATE-MS-NETWORKS"
->Integrating MS Windows networks with Samba</A
+>17. <A
+HREF="#PROFILEMGMT"
+>Desktop Profile Management</A
></DT
><DD
><DL
><DT
->19.1. <A
-HREF="#AEN2975"
->Name Resolution in a pure Unix/Linux world</A
+>17.1. <A
+HREF="#AEN2998"
+>Roaming Profiles</A
></DT
><DD
><DL
><DT
->19.1.1. <A
-HREF="#AEN2991"
-><TT
-CLASS="FILENAME"
->/etc/hosts</TT
-></A
+>17.1.1. <A
+HREF="#AEN3006"
+>Samba Configuration for Profile Handling</A
></DT
><DT
->19.1.2. <A
-HREF="#AEN3007"
-><TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
-></A
+>17.1.2. <A
+HREF="#AEN3031"
+>Windows Client Profile Configuration Information</A
></DT
><DT
->19.1.3. <A
-HREF="#AEN3018"
-><TT
-CLASS="FILENAME"
->/etc/host.conf</TT
-></A
+>17.1.3. <A
+HREF="#AEN3151"
+>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A
></DT
><DT
->19.1.4. <A
-HREF="#AEN3026"
-><TT
-CLASS="FILENAME"
->/etc/nsswitch.conf</TT
-></A
+>17.1.4. <A
+HREF="#AEN3158"
+>Profile Migration from Windows NT4/200x Server to Samba</A
></DT
></DL
></DD
><DT
->19.2. <A
-HREF="#AEN3038"
->Name resolution as used within MS Windows networking</A
+>17.2. <A
+HREF="#AEN3196"
+>Mandatory profiles</A
></DT
-><DD
-><DL
><DT
->19.2.1. <A
-HREF="#AEN3050"
->The NetBIOS Name Cache</A
+>17.3. <A
+HREF="#AEN3203"
+>Creating/Managing Group Profiles</A
></DT
><DT
->19.2.2. <A
-HREF="#AEN3055"
->The LMHOSTS file</A
+>17.4. <A
+HREF="#AEN3209"
+>Default Profile for Windows Users</A
></DT
+><DD
+><DL
><DT
->19.2.3. <A
-HREF="#AEN3063"
->HOSTS file</A
+>17.4.1. <A
+HREF="#AEN3213"
+>MS Windows 9x/Me</A
></DT
><DT
->19.2.4. <A
-HREF="#AEN3068"
->DNS Lookup</A
+>17.4.2. <A
+HREF="#AEN3225"
+>MS Windows NT4 Workstation</A
></DT
><DT
->19.2.5. <A
-HREF="#AEN3071"
->WINS Lookup</A
+>17.4.3. <A
+HREF="#AEN3279"
+>MS Windows 200x/XP</A
></DT
></DL
></DD
></DL
></DD
><DT
->20. <A
-HREF="#IMPROVED-BROWSING"
->Improved browsing in samba</A
+>18. <A
+HREF="#PAM"
+>PAM Configuration for Centrally Managed Authentication</A
></DT
><DD
><DL
><DT
->20.1. <A
-HREF="#AEN3090"
->Overview of browsing</A
+>18.1. <A
+HREF="#AEN3332"
+>Samba and PAM</A
></DT
><DT
->20.2. <A
-HREF="#AEN3095"
->Browsing support in samba</A
+>18.2. <A
+HREF="#AEN3383"
+>Distributed Authentication</A
></DT
><DT
->20.3. <A
-HREF="#AEN3103"
->Problem resolution</A
+>18.3. <A
+HREF="#AEN3388"
+>PAM Configuration in smb.conf</A
></DT
+></DL
+></DD
><DT
->20.4. <A
-HREF="#AEN3112"
->Browsing across subnets</A
+>19. <A
+HREF="#VFS"
+>Stackable VFS modules</A
></DT
><DD
><DL
><DT
->20.4.1. <A
-HREF="#AEN3117"
->How does cross subnet browsing work ?</A
+>19.1. <A
+HREF="#AEN3423"
+>Introduction and configuration</A
></DT
-></DL
-></DD
><DT
->20.5. <A
-HREF="#AEN3152"
->Setting up a WINS server</A
+>19.2. <A
+HREF="#AEN3432"
+>Included modules</A
></DT
+><DD
+><DL
><DT
->20.6. <A
-HREF="#AEN3171"
->Setting up Browsing in a WORKGROUP</A
+>19.2.1. <A
+HREF="#AEN3434"
+>audit</A
></DT
><DT
->20.7. <A
-HREF="#AEN3189"
->Setting up Browsing in a DOMAIN</A
+>19.2.2. <A
+HREF="#AEN3442"
+>extd_audit</A
></DT
><DT
->20.8. <A
-HREF="#AEN3199"
->Forcing samba to be the master</A
+>19.2.3. <A
+HREF="#AEN3446"
+>recycle</A
></DT
><DT
->20.9. <A
-HREF="#AEN3208"
->Making samba the domain master</A
+>19.2.4. <A
+HREF="#AEN3483"
+>netatalk</A
+></DT
+></DL
+></DD
+><DT
+>19.3. <A
+HREF="#AEN3490"
+>VFS modules available elsewhere</A
></DT
+><DD
+><DL
><DT
->20.10. <A
-HREF="#AEN3226"
->Note about broadcast addresses</A
+>19.3.1. <A
+HREF="#AEN3494"
+>DatabaseFS</A
></DT
><DT
->20.11. <A
-HREF="#AEN3229"
->Multiple interfaces</A
+>19.3.2. <A
+HREF="#AEN3502"
+>vscan</A
></DT
></DL
></DD
+></DL
+></DD
><DT
->21. <A
+>20. <A
HREF="#MSDFS"
>Hosting a Microsoft Distributed File System tree on Samba</A
></DT
><DD
><DL
><DT
->21.1. <A
-HREF="#AEN3243"
+>20.1. <A
+HREF="#AEN3518"
>Instructions</A
></DT
><DD
><DL
><DT
->21.1.1. <A
-HREF="#AEN3278"
+>20.1.1. <A
+HREF="#AEN3553"
>Notes</A
></DT
></DL
@@ -7652,60 +7996,160 @@ HREF="#AEN3278"
></DL
></DD
><DT
->22. <A
-HREF="#VFS"
->Stackable VFS modules</A
+>21. <A
+HREF="#INTEGRATE-MS-NETWORKS"
+>Integrating MS Windows networks with Samba</A
></DT
><DD
><DL
><DT
->22.1. <A
-HREF="#AEN3302"
->Introduction and configuration</A
+>21.1. <A
+HREF="#AEN3580"
+>Name Resolution in a pure Unix/Linux world</A
></DT
+><DD
+><DL
><DT
->22.2. <A
-HREF="#AEN3311"
->Included modules</A
+>21.1.1. <A
+HREF="#AEN3596"
+><TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+></A
+></DT
+><DT
+>21.1.2. <A
+HREF="#AEN3612"
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></A
+></DT
+><DT
+>21.1.3. <A
+HREF="#AEN3623"
+><TT
+CLASS="FILENAME"
+>/etc/host.conf</TT
+></A
+></DT
+><DT
+>21.1.4. <A
+HREF="#AEN3631"
+><TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+></A
+></DT
+></DL
+></DD
+><DT
+>21.2. <A
+HREF="#AEN3643"
+>Name resolution as used within MS Windows networking</A
></DT
><DD
><DL
><DT
->22.2.1. <A
-HREF="#AEN3313"
->audit</A
+>21.2.1. <A
+HREF="#AEN3655"
+>The NetBIOS Name Cache</A
></DT
><DT
->22.2.2. <A
-HREF="#AEN3321"
->recycle</A
+>21.2.2. <A
+HREF="#AEN3660"
+>The LMHOSTS file</A
></DT
><DT
->22.2.3. <A
-HREF="#AEN3358"
->netatalk</A
+>21.2.3. <A
+HREF="#AEN3668"
+>HOSTS file</A
+></DT
+><DT
+>21.2.4. <A
+HREF="#AEN3673"
+>DNS Lookup</A
></DT
+><DT
+>21.2.5. <A
+HREF="#AEN3676"
+>WINS Lookup</A
+></DT
+></DL
+></DD
></DL
></DD
><DT
->22.3. <A
-HREF="#AEN3365"
->VFS modules available elsewhere</A
+>22. <A
+HREF="#IMPROVED-BROWSING"
+>Improved browsing in samba</A
></DT
><DD
><DL
><DT
->22.3.1. <A
-HREF="#AEN3369"
->DatabaseFS</A
+>22.1. <A
+HREF="#AEN3695"
+>Overview of browsing</A
></DT
><DT
->22.3.2. <A
-HREF="#AEN3377"
->vscan</A
+>22.2. <A
+HREF="#AEN3701"
+>Browsing support in samba</A
+></DT
+><DT
+>22.3. <A
+HREF="#AEN3714"
+>Problem resolution</A
+></DT
+><DT
+>22.4. <A
+HREF="#AEN3725"
+>Browsing across subnets</A
+></DT
+><DD
+><DL
+><DT
+>22.4.1. <A
+HREF="#AEN3730"
+>How does cross subnet browsing work ?</A
></DT
></DL
></DD
+><DT
+>22.5. <A
+HREF="#AEN3765"
+>Setting up a WINS server</A
+></DT
+><DT
+>22.6. <A
+HREF="#AEN3785"
+>Setting up Browsing in a WORKGROUP</A
+></DT
+><DT
+>22.7. <A
+HREF="#AEN3808"
+>Setting up Browsing in a DOMAIN</A
+></DT
+><DT
+>22.8. <A
+HREF="#BROWSE-FORCE-MASTER"
+>Forcing samba to be the master</A
+></DT
+><DT
+>22.9. <A
+HREF="#AEN3843"
+>Making samba the domain master</A
+></DT
+><DT
+>22.10. <A
+HREF="#AEN3865"
+>Note about broadcast addresses</A
+></DT
+><DT
+>22.11. <A
+HREF="#AEN3868"
+>Multiple interfaces</A
+></DT
></DL
></DD
><DT
@@ -7717,32 +8161,32 @@ HREF="#SECURING-SAMBA"
><DL
><DT
>23.1. <A
-HREF="#AEN3391"
+HREF="#AEN3884"
>Introduction</A
></DT
><DT
>23.2. <A
-HREF="#AEN3394"
+HREF="#AEN3887"
>Using host based protection</A
></DT
><DT
>23.3. <A
-HREF="#AEN3401"
+HREF="#AEN3894"
>Using interface protection</A
></DT
><DT
>23.4. <A
-HREF="#AEN3410"
+HREF="#AEN3903"
>Using a firewall</A
></DT
><DT
>23.5. <A
-HREF="#AEN3417"
+HREF="#AEN3910"
>Using a IPC$ share deny</A
></DT
><DT
>23.6. <A
-HREF="#AEN3426"
+HREF="#AEN3919"
>Upgrading Samba</A
></DT
></DL
@@ -7756,12 +8200,12 @@ HREF="#UNICODE"
><DL
><DT
>24.1. <A
-HREF="#AEN3440"
+HREF="#AEN3933"
>What are charsets and unicode?</A
></DT
><DT
>24.2. <A
-HREF="#AEN3449"
+HREF="#AEN3942"
>Samba and charsets</A
></DT
></DL
@@ -7773,77 +8217,16 @@ HREF="#AEN3449"
CLASS="CHAPTER"
><HR><H1
><A
-NAME="ADVANCEDNETWORKMANAGEMENT"
-></A
->Chapter 10. Advanced Network Manangement Information</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN1388"
->10.1. Remote Server Administration</A
-></H2
-><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->How do I get 'User Manager' and 'Server Manager'</I
-></SPAN
-></P
-><P
->Since I don't need to buy an NT Server CD now, how do I get the 'User Manager for Domains',
-the 'Server Manager'?</P
-><P
->Microsoft distributes a version of these tools called nexus for installation on Windows 95
-systems. The tools set includes:</P
-><P
-></P
-><UL
-><LI
-><P
->Server Manager</P
-></LI
-><LI
-><P
->User Manager for Domains</P
-></LI
-><LI
-><P
->Event Viewer</P
-></LI
-></UL
-><P
->Click here to download the archived file <A
-HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
-TARGET="_top"
->ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A
-></P
-><P
->The Windows NT 4.0 version of the 'User Manager for
-Domains' and 'Server Manager' are available from Microsoft via ftp
-from <A
-HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
-TARGET="_top"
->ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A
-></P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
NAME="UNIX-PERMISSIONS"
></A
->Chapter 11. UNIX Permission Bits and Windows NT Access Control Lists</H1
+>Chapter 10. UNIX Permission Bits and Windows NT Access Control Lists</H1
><DIV
CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN1416"
->11.1. Viewing and changing UNIX permissions using the NT
+NAME="AEN1499"
+>10.1. Viewing and changing UNIX permissions using the NT
security dialogs</A
></H2
><P
@@ -7854,14 +8237,46 @@ NAME="AEN1416"
the security of the UNIX host Samba is running on, and
still obeys all the file permission rules that a Samba
administrator can set.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> All access to Unix/Linux system file via Samba is controlled at
+ the operating system file access control level. When trying to
+ figure out file access problems it is vitally important to identify
+ the identity of the Windows user as it is presented by Samba at
+ the point of file access. This can best be determined from the
+ Samba log files.
+ </P
+></TD
+></TR
+></TABLE
+></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1420"
->11.2. How to view file security on a Samba share</A
+NAME="AEN1505"
+>10.2. How to view file security on a Samba share</A
></H2
><P
>From an NT4/2000/XP client, single-click with the right
@@ -7929,8 +8344,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1431"
->11.3. Viewing file ownership</A
+NAME="AEN1516"
+>10.3. Viewing file ownership</A
></H2
><P
>Clicking on the <B
@@ -8015,8 +8430,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1451"
->11.4. Viewing file or directory permissions</A
+NAME="AEN1536"
+>10.4. Viewing file or directory permissions</A
></H2
><P
>The third button is the <B
@@ -8069,8 +8484,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1466"
->11.4.1. File Permissions</A
+NAME="AEN1551"
+>10.4.1. File Permissions</A
></H3
><P
>The standard UNIX user/group/world triple and
@@ -8131,8 +8546,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1480"
->11.4.2. Directory Permissions</A
+NAME="AEN1565"
+>10.4.2. Directory Permissions</A
></H3
><P
>Directories on an NT NTFS file system have two
@@ -8163,8 +8578,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1487"
->11.5. Modifying file or directory permissions</A
+NAME="AEN1572"
+>10.5. Modifying file or directory permissions</A
></H2
><P
>Modifying file and directory permissions is as simple
@@ -8259,8 +8674,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1509"
->11.6. Interaction with the standard Samba create mask
+NAME="AEN1594"
+>10.6. Interaction with the standard Samba create mask
parameters</A
></H2
><P
@@ -8453,8 +8868,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1563"
->11.7. Interaction with the standard Samba file attribute
+NAME="AEN1648"
+>10.7. Interaction with the standard Samba file attribute
mapping</A
></H2
><P
@@ -8502,7 +8917,7 @@ CLASS="CHAPTER"
><A
NAME="GROUPMAPPING"
></A
->Chapter 12. Group mapping HOWTO</H1
+>Chapter 11. Configuring Group Mapping</H1
><P
>
Starting with Samba 3.0 alpha 2, a new group mapping function is available. The
@@ -8570,9 +8985,9 @@ CLASS="COMMAND"
>domain admins</B
> group by running the command:</P
><P
-><B
-CLASS="COMMAND"
->smbgroupedit -c "Domain Admins" -u domadm</B
+><KBD
+CLASS="USERINPUT"
+>smbgroupedit -c "Domain Admins" -u domadm</KBD
></P
></LI
></OL
@@ -8592,259 +9007,115 @@ CLASS="COMMAND"
><P
>You can list the various groups in the mapping database like this</P
><P
-><B
-CLASS="COMMAND"
->smbgroupedit -v</B
+><KBD
+CLASS="USERINPUT"
+>smbgroupedit -v</KBD
></P
></DIV
><DIV
CLASS="CHAPTER"
><HR><H1
><A
-NAME="PAM"
+NAME="PRINTING"
></A
->Chapter 13. Configuring PAM for distributed but centrally
-managed authentication</H1
+>Chapter 12. Printing Support</H1
><DIV
CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN1619"
->13.1. Samba and PAM</A
+NAME="AEN1711"
+>12.1. Introduction</A
></H2
><P
->A number of Unix systems (eg: Sun Solaris), as well as the
-xxxxBSD family and Linux, now utilize the Pluggable Authentication
-Modules (PAM) facility to provide all authentication,
-authorization and resource control services. Prior to the
-introduction of PAM, a decision to use an alternative to
-the system password database (<TT
-CLASS="FILENAME"
->/etc/passwd</TT
->)
-would require the provision of alternatives for all programs that provide
-security services. Such a choice would involve provision of
-alternatives to such programs as: <B
-CLASS="COMMAND"
->login</B
->,
-<B
-CLASS="COMMAND"
->passwd</B
->, <B
-CLASS="COMMAND"
->chown</B
->, etc.</P
+>Beginning with the 2.2.0 release, Samba supports
+the native Windows NT printing mechanisms implemented via
+MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of
+Samba only supported LanMan printing calls.</P
><P
->PAM provides a mechanism that disconnects these security programs
-from the underlying authentication/authorization infrastructure.
-PAM is configured either through one file <TT
-CLASS="FILENAME"
->/etc/pam.conf</TT
-> (Solaris),
-or by editing individual files that are located in <TT
-CLASS="FILENAME"
->/etc/pam.d</TT
->.</P
-><DIV
-CLASS="NOTE"
+>The additional functionality provided by the new
+SPOOLSS support includes:</P
><P
></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
+><UL
+><LI
><P
-> If the PAM authentication module (loadable link library file) is located in the
- default location then it is not necessary to specify the path. In the case of
- Linux, the default location is <TT
-CLASS="FILENAME"
->/lib/security</TT
->. If the module
- is located other than default then the path may be specified as:
-
- <PRE
-CLASS="PROGRAMLISTING"
-> eg: "auth required /other_path/pam_strange_module.so"
- </PRE
->
+>Support for downloading printer driver
+ files to Windows 95/98/NT/2000 clients upon demand.
</P
-></TD
-></TR
-></TABLE
-></DIV
-><P
->The following is an example <TT
-CLASS="FILENAME"
->/etc/pam.d/login</TT
-> configuration file.
-This example had all options been uncommented is probably not usable
-as it stacks many conditions before allowing successful completion
-of the login process. Essentially all conditions can be disabled
-by commenting them out except the calls to <TT
-CLASS="FILENAME"
->pam_pwdb.so</TT
->.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> #%PAM-1.0
- # The PAM configuration file for the `login' service
- #
- auth required pam_securetty.so
- auth required pam_nologin.so
- # auth required pam_dialup.so
- # auth optional pam_mail.so
- auth required pam_pwdb.so shadow md5
- # account requisite pam_time.so
- account required pam_pwdb.so
- session required pam_pwdb.so
- # session optional pam_lastlog.so
- # password required pam_cracklib.so retry=3
- password required pam_pwdb.so shadow md5</PRE
-></P
+></LI
+><LI
><P
->PAM allows use of replacable modules. Those available on a
-sample system include:</P
+>Uploading of printer drivers via the
+ Windows NT Add Printer Wizard (APW) or the
+ Imprints tool set (refer to <A
+HREF="http://imprints.sourceforge.net"
+TARGET="_top"
+>http://imprints.sourceforge.net</A
+>).
+ </P
+></LI
+><LI
><P
-><PRE
-CLASS="PROGRAMLISTING"
-> $ /bin/ls /lib/security
- pam_access.so pam_ftp.so pam_limits.so
- pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
- pam_cracklib.so pam_group.so pam_listfile.so
- pam_nologin.so pam_rootok.so pam_tally.so
- pam_deny.so pam_issue.so pam_mail.so
- pam_permit.so pam_securetty.so pam_time.so
- pam_dialup.so pam_lastlog.so pam_mkhomedir.so
- pam_pwdb.so pam_shells.so pam_unix.so
- pam_env.so pam_ldap.so pam_motd.so
- pam_radius.so pam_smbpass.so pam_unix_acct.so
- pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
- pam_userdb.so pam_warn.so pam_unix_session.so</PRE
-></P
+>Support for the native MS-RPC printing
+ calls such as StartDocPrinter, EnumJobs(), etc... (See
+ the MSDN documentation at <A
+HREF="http://msdn.microsoft.com/"
+TARGET="_top"
+>http://msdn.microsoft.com/</A
+>
+ for more information on the Win32 printing API)
+ </P
+></LI
+><LI
><P
->The following example for the login program replaces the use of
-the <TT
-CLASS="FILENAME"
->pam_pwdb.so</TT
-> module which uses the system
-password database (<TT
-CLASS="FILENAME"
->/etc/passwd</TT
->,
-<TT
-CLASS="FILENAME"
->/etc/shadow</TT
->, <TT
-CLASS="FILENAME"
->/etc/group</TT
->) with
-the module <TT
-CLASS="FILENAME"
->pam_smbpass.so</TT
-> which uses the Samba
-database which contains the Microsoft MD4 encrypted password
-hashes. This database is stored in either
-<TT
-CLASS="FILENAME"
->/usr/local/samba/private/smbpasswd</TT
->,
-<TT
-CLASS="FILENAME"
->/etc/samba/smbpasswd</TT
->, or in
-<TT
-CLASS="FILENAME"
->/etc/samba.d/smbpasswd</TT
->, depending on the
-Samba implementation for your Unix/Linux system. The
-<TT
-CLASS="FILENAME"
->pam_smbpass.so</TT
-> module is provided by
-Samba version 2.2.1 or later. It can be compiled by specifying the
-<B
-CLASS="COMMAND"
->--with-pam_smbpass</B
-> options when running Samba's
-<TT
-CLASS="FILENAME"
->configure</TT
-> script. For more information
-on the <TT
-CLASS="FILENAME"
->pam_smbpass</TT
-> module, see the documentation
-in the <TT
-CLASS="FILENAME"
->source/pam_smbpass</TT
-> directory of the Samba
-source distribution.</P
+>Support for NT Access Control Lists (ACL)
+ on printer objects</P
+></LI
+><LI
><P
-><PRE
-CLASS="PROGRAMLISTING"
-> #%PAM-1.0
- # The PAM configuration file for the `login' service
- #
- auth required pam_smbpass.so nodelay
- account required pam_smbpass.so nodelay
- session required pam_smbpass.so nodelay
- password required pam_smbpass.so nodelay</PRE
-></P
+>Improved support for printer queue manipulation
+ through the use of an internal databases for spooled job
+ information</P
+></LI
+></UL
><P
->The following is the PAM configuration file for a particular
-Linux system. The default condition uses <TT
-CLASS="FILENAME"
->pam_pwdb.so</TT
->.</P
+>There has been some initial confusion about what all this means
+and whether or not it is a requirement for printer drivers to be
+installed on a Samba host in order to support printing from Windows
+clients. As a side note, Samba does not use these drivers in any way to process
+spooled files. They are utilized entirely by the clients.</P
><P
-><PRE
-CLASS="PROGRAMLISTING"
-> #%PAM-1.0
- # The PAM configuration file for the `samba' service
- #
- auth required /lib/security/pam_pwdb.so nullok nodelay shadow audit
- account required /lib/security/pam_pwdb.so audit nodelay
- session required /lib/security/pam_pwdb.so nodelay
- password required /lib/security/pam_pwdb.so shadow md5</PRE
+>The following MS KB article, may be of some help if you are dealing with
+Windows 2000 clients: <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>How to Add Printers with No User
+Interaction in Windows 2000</I
+></SPAN
></P
><P
->In the following example the decision has been made to use the
-smbpasswd database even for basic samba authentication. Such a
-decision could also be made for the passwd program and would
-thus allow the smbpasswd passwords to be changed using the passwd
-program.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> #%PAM-1.0
- # The PAM configuration file for the `samba' service
- #
- auth required /lib/security/pam_smbpass.so nodelay
- account required /lib/security/pam_pwdb.so audit nodelay
- session required /lib/security/pam_pwdb.so nodelay
- password required /lib/security/pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
+><A
+HREF="http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP"
+TARGET="_top"
+>http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP</A
></P
+></DIV
><DIV
-CLASS="NOTE"
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN1733"
+>12.2. Configuration</A
+></H2
+><DIV
+CLASS="WARNING"
><P
></P
><TABLE
-CLASS="NOTE"
+CLASS="WARNING"
WIDTH="100%"
BORDER="0"
><TR
@@ -8853,250 +9124,42 @@ WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif"
HSPACE="5"
-ALT="Note"></TD
+ALT="Warning"></TD
+><TH
+ALIGN="LEFT"
+VALIGN="CENTER"
+><B
+>[print$] vs. [printer$]</B
+></TH
+></TR
+><TR
+><TD
+> </TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
->PAM allows stacking of authentication mechanisms. It is
-also possible to pass information obtained within one PAM module through
-to the next module in the PAM stack. Please refer to the documentation for
-your particular system implementation for details regarding the specific
-capabilities of PAM in this environment. Some Linux implmentations also
-provide the <TT
-CLASS="FILENAME"
->pam_stack.so</TT
-> module that allows all
-authentication to be configured in a single central file. The
-<TT
-CLASS="FILENAME"
->pam_stack.so</TT
-> method has some very devoted followers
-on the basis that it allows for easier administration. As with all issues in
-life though, every decision makes trade-offs, so you may want examine the
-PAM documentation for further helpful information.</P
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1668"
->13.2. Distributed Authentication</A
-></H2
-><P
->The astute administrator will realize from this that the
-combination of <TT
-CLASS="FILENAME"
->pam_smbpass.so</TT
->,
-<B
-CLASS="COMMAND"
->winbindd</B
->, and a distributed
-passdb backend, such as ldap, will allow the establishment of a
-centrally managed, distributed
-user/password database that can also be used by all
-PAM (eg: Linux) aware programs and applications. This arrangement
-can have particularly potent advantages compared with the
-use of Microsoft Active Directory Service (ADS) in so far as
-reduction of wide area network authentication traffic.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1673"
->13.3. PAM Configuration in smb.conf</A
-></H2
-><P
->There is an option in smb.conf called <A
-HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS"
-TARGET="_top"
->obey pam restrictions</A
->.
-The following is from the on-line help for this option in SWAT;</P
-><P
->When Samba is configured to enable PAM support (i.e.
-<CODE
-CLASS="CONSTANT"
->--with-pam</CODE
->), this parameter will
-control whether or not Samba should obey PAM's account
-and session management directives. The default behavior
-is to use PAM for clear text authentication only and to
-ignore any account or session management. Note that Samba always
-ignores PAM for authentication in the case of
-<A
-HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
-TARGET="_top"
->encrypt passwords = yes</A
->.
-The reason is that PAM modules cannot support the challenge/response
-authentication mechanism needed in the presence of SMB
-password encryption. </P
-><P
->Default: <B
-CLASS="COMMAND"
->obey pam restrictions = no</B
-></P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="PRINTING"
-></A
->Chapter 14. Printing Support</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN1699"
->14.1. Introduction</A
-></H2
-><P
->Beginning with the 2.2.0 release, Samba supports
-the native Windows NT printing mechanisms implemented via
-MS-RPC (i.e. the SPOOLSS named pipe). Previous versions of
-Samba only supported LanMan printing calls.</P
-><P
->The additional functionality provided by the new
-SPOOLSS support includes:</P
-><P
-></P
-><UL
-><LI
-><P
->Support for downloading printer driver
- files to Windows 95/98/NT/2000 clients upon demand.
- </P
-></LI
-><LI
-><P
->Uploading of printer drivers via the
- Windows NT Add Printer Wizard (APW) or the
- Imprints tool set (refer to <A
-HREF="http://imprints.sourceforge.net"
-TARGET="_top"
->http://imprints.sourceforge.net</A
->).
- </P
-></LI
-><LI
-><P
->Support for the native MS-RPC printing
- calls such as StartDocPrinter, EnumJobs(), etc... (See
- the MSDN documentation at <A
-HREF="http://msdn.microsoft.com/"
-TARGET="_top"
->http://msdn.microsoft.com/</A
->
- for more information on the Win32 printing API)
- </P
-></LI
-><LI
-><P
->Support for NT Access Control Lists (ACL)
- on printer objects</P
-></LI
-><LI
-><P
->Improved support for printer queue manipulation
- through the use of an internal databases for spooled job
- information</P
-></LI
-></UL
-><P
->There has been some initial confusion about what all this means
-and whether or not it is a requirement for printer drivers to be
-installed on a Samba host in order to support printing from Windows
-clients. As a side note, Samba does not use these drivers in any way to process
-spooled files. They are utilized entirely by the clients.</P
-><P
->The following MS KB article, may be of some help if you are dealing with
-Windows 2000 clients: <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->How to Add Printers with No User
-Interaction in Windows 2000</I
-></SPAN
-></P
-><P
-><A
-HREF="http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP"
-TARGET="_top"
->http://support.microsoft.com/support/kb/articles/Q189/1/05.ASP</A
-></P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN1721"
->14.2. Configuration</A
-></H2
-><DIV
-CLASS="WARNING"
-><P
-></P
-><TABLE
-CLASS="WARNING"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif"
-HSPACE="5"
-ALT="Warning"></TD
-><TH
-ALIGN="LEFT"
-VALIGN="CENTER"
-><B
->[print$] vs. [printer$]</B
-></TH
-></TR
-><TR
-><TD
-> </TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->Previous versions of Samba recommended using a share named [printer$].
-This name was taken from the printer$ service created by Windows 9x
-clients when a printer was shared. Windows 9x printer servers always have
-a printer$ service which provides read-only access via no
-password in order to support printer driver downloads.</P
-><P
->However, the initial implementation allowed for a
-parameter named <VAR
-CLASS="PARAMETER"
->printer driver location</VAR
->
-to be used on a per share basis to specify the location of
-the driver files associated with that printer. Another
-parameter named <VAR
-CLASS="PARAMETER"
->printer driver</VAR
-> provided
-a means of defining the printer driver name to be sent to
-the client.</P
+>Previous versions of Samba recommended using a share named [printer$].
+This name was taken from the printer$ service created by Windows 9x
+clients when a printer was shared. Windows 9x printer servers always have
+a printer$ service which provides read-only access via no
+password in order to support printer driver downloads.</P
+><P
+>However, the initial implementation allowed for a
+parameter named <VAR
+CLASS="PARAMETER"
+>printer driver location</VAR
+>
+to be used on a per share basis to specify the location of
+the driver files associated with that printer. Another
+parameter named <VAR
+CLASS="PARAMETER"
+>printer driver</VAR
+> provided
+a means of defining the printer driver name to be sent to
+the client.</P
></TD
></TR
></TABLE
@@ -9106,8 +9169,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1729"
->14.2.1. Creating [print$]</A
+NAME="AEN1741"
+>12.2.1. Creating [print$]</A
></H3
><P
>In order to support the uploading of printer driver
@@ -9233,14 +9296,14 @@ Samba follows this model as well.</P
>Next create the directory tree below the [print$] share
for each architecture you wish to support.</P
><P
-><PRE
-CLASS="PROGRAMLISTING"
+><SAMP
+CLASS="COMPUTEROUTPUT"
>[print$]-----
|-W32X86 ; "Windows NT x86"
|-WIN40 ; "Windows 95/98"
|-W32ALPHA ; "Windows NT Alpha_AXP"
|-W32MIPS ; "Windows NT R4000"
- |-W32PPC ; "Windows NT PowerPC"</PRE
+ |-W32PPC ; "Windows NT PowerPC"</SAMP
></P
><DIV
CLASS="WARNING"
@@ -9323,8 +9386,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1764"
->14.2.2. Setting Drivers for Existing Printers</A
+NAME="AEN1776"
+>12.2.2. Setting Drivers for Existing Printers</A
></H3
><P
>The initial listing of printers in the Samba host's
@@ -9395,8 +9458,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1780"
->14.2.3. Support a large number of printers</A
+NAME="AEN1792"
+>12.2.3. Support a large number of printers</A
></H3
><P
>One issue that has arisen during the development
@@ -9415,13 +9478,16 @@ setdriver command</B
associated with an installed driver. The following is example
of how this could be accomplished:</P
><P
-><PRE
-CLASS="PROGRAMLISTING"
->
-<SAMP
+><SAMP
CLASS="PROMPT"
>$ </SAMP
->rpcclient pogo -U root%secret -c "enumdrivers"
+><KBD
+CLASS="USERINPUT"
+>rpcclient pogo -U root%secret -c "enumdrivers"</KBD
+>
+<PRE
+CLASS="PROGRAMLISTING"
+>
Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
[Windows NT x86]
@@ -9432,27 +9498,34 @@ Printer Driver Info 1:
Driver Name: [HP LaserJet 2100 Series PS]
Printer Driver Info 1:
- Driver Name: [HP LaserJet 4Si/4SiMX PS]
-
+ Driver Name: [HP LaserJet 4Si/4SiMX PS]</PRE
+>
<SAMP
CLASS="PROMPT"
>$ </SAMP
->rpcclient pogo -U root%secret -c "enumprinters"
-Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
+><KBD
+CLASS="USERINPUT"
+>rpcclient pogo -U root%secret -c "enumprinters"</KBD
+>
+<PRE
+CLASS="PROGRAMLISTING"
+>Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
flags:[0x800000]
name:[\\POGO\hp-print]
description:[POGO\\POGO\hp-print,NO DRIVER AVAILABLE FOR THIS PRINTER,]
comment:[]
-
+ </PRE
+>
<SAMP
CLASS="PROMPT"
>$ </SAMP
->rpcclient pogo -U root%secret \
-<SAMP
-CLASS="PROMPT"
->> </SAMP
-> -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""
-Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
+><KBD
+CLASS="USERINPUT"
+>rpcclient pogo -U root%secret -c "setdriver hp-print \"HP LaserJet 4000 Series PS\""</KBD
+>
+<PRE
+CLASS="PROGRAMLISTING"
+>Domain=[NARNIA] OS=[Unix] Server=[Samba 2.2.0-alpha3]
Successfully set hp-print to driver HP LaserJet 4000 Series PS.</PRE
></P
></DIV
@@ -9461,8 +9534,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1791"
->14.2.4. Adding New Printers via the Windows NT APW</A
+NAME="AEN1807"
+>12.2.4. Adding New Printers via the Windows NT APW</A
></H3
><P
>By default, Samba offers all printer shares defined in <TT
@@ -9616,8 +9689,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1821"
->14.2.5. Samba and Printer Ports</A
+NAME="AEN1837"
+>12.2.5. Samba and Printer Ports</A
></H3
><P
>Windows NT/2000 print servers associate a port with each printer. These normally
@@ -9651,8 +9724,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1829"
->14.3. The Imprints Toolset</A
+NAME="AEN1845"
+>12.3. The Imprints Toolset</A
></H2
><P
>The Imprints tool set provides a UNIX equivalent of the
@@ -9669,8 +9742,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1833"
->14.3.1. What is Imprints?</A
+NAME="AEN1849"
+>12.3.1. What is Imprints?</A
></H3
><P
>Imprints is a collection of tools for supporting the goals
@@ -9701,8 +9774,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1843"
->14.3.2. Creating Printer Driver Packages</A
+NAME="AEN1859"
+>12.3.2. Creating Printer Driver Packages</A
></H3
><P
>The process of creating printer driver packages is beyond
@@ -9717,8 +9790,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1846"
->14.3.3. The Imprints server</A
+NAME="AEN1862"
+>12.3.3. The Imprints server</A
></H3
><P
>The Imprints server is really a database server that
@@ -9741,8 +9814,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1850"
->14.3.4. The Installation Client</A
+NAME="AEN1866"
+>12.3.4. The Installation Client</A
></H3
><P
>More information regarding the Imprints installation client
@@ -9835,16 +9908,16 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1872"
->14.4. Diagnosis</A
+NAME="AEN1888"
+>12.4. Diagnosis</A
></H2
><DIV
CLASS="SECT2"
><H3
CLASS="SECT2"
><A
-NAME="AEN1874"
->14.4.1. Introduction</A
+NAME="AEN1890"
+>12.4.1. Introduction</A
></H3
><P
>This is a short description of how to debug printing problems with
@@ -9918,8 +9991,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1890"
->14.4.2. Debugging printer problems</A
+NAME="AEN1906"
+>12.4.2. Debugging printer problems</A
></H3
><P
>One way to debug printing problems is to start by replacing these
@@ -9975,8 +10048,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1899"
->14.4.3. What printers do I have?</A
+NAME="AEN1915"
+>12.4.3. What printers do I have?</A
></H3
><P
>You can use the 'testprns' program to check to see if the printer
@@ -10004,8 +10077,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1907"
->14.4.4. Setting up printcap and print servers</A
+NAME="AEN1923"
+>12.4.4. Setting up printcap and print servers</A
></H3
><P
>You may need to set up some printcaps for your Samba system to use.
@@ -10088,8 +10161,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1935"
->14.4.5. Job sent, no output</A
+NAME="AEN1951"
+>12.4.5. Job sent, no output</A
></H3
><P
>This is the most frustrating part of printing. You may have sent the
@@ -10133,8 +10206,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1946"
->14.4.6. Job sent, strange output</A
+NAME="AEN1962"
+>12.4.6. Job sent, strange output</A
></H3
><P
>Once you have the job printing, you can then start worrying about
@@ -10179,8 +10252,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1958"
->14.4.7. Raw PostScript printed</A
+NAME="AEN1974"
+>12.4.7. Raw PostScript printed</A
></H3
><P
>This is a problem that is usually caused by either the print spooling
@@ -10194,8 +10267,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1961"
->14.4.8. Advanced Printing</A
+NAME="AEN1977"
+>12.4.8. Advanced Printing</A
></H3
><P
>Note that you can do some pretty magic things by using your
@@ -10210,8 +10283,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN1964"
->14.4.9. Real debugging</A
+NAME="AEN1980"
+>12.4.9. Real debugging</A
></H3
><P
>If the above debug tips don't help, then maybe you need to bring in
@@ -10225,14 +10298,14 @@ CLASS="CHAPTER"
><A
NAME="CUPS-PRINTING"
></A
->Chapter 15. CUPS Printing Support</H1
+>Chapter 13. CUPS Printing Support</H1
><DIV
CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN1984"
->15.1. Introduction</A
+NAME="AEN2000"
+>13.1. Introduction</A
></H2
><P
>The Common Unix Print System (CUPS) has become very popular, but to many it is
@@ -10253,29 +10326,142 @@ many ways this gives CUPS similar capabilities to the MS Windows print monitorin
system. Of course, if you are a CUPS advocate, you would agrue that CUPS is better!
In any case, let us now move on to explore how one may configure CUPS for interfacing
with MS Windows print clients via Samba.</P
+><P
+><A
+HREF="http://www.cups.org/"
+TARGET="_top"
+>CUPS</A
+> is a newcomer in the UNIX printing scene,
+which has convinced many people upon first trial already. However, it has quite a few
+new features, which make it different from other, more traditional printing systems.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN1989"
->15.2. CUPS - RAW Print Through Mode</A
+NAME="AEN2007"
+>13.2. Configuring <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> for CUPS</A
></H2
><P
->When CUPS printers are configured for RAW print-through mode operation it is the
-responsibility of the Samba client to fully render the print job (file) in a format
-that is suitable for direct delivery to the printer. In this case CUPS will NOT
-do any print file format conversion work.</P
-><P
->The CUPS files that need to be correctly set for RAW mode printers to work are:
-
-<P
-></P
-><UL
-><LI
-><P
-><TT
+>Printing with CUPS in the most basic <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>
+setup in Samba-3 only needs two settings: <B
+CLASS="COMMAND"
+>printing = cups</B
+> and
+<B
+CLASS="COMMAND"
+>printcap = cups</B
+>. While CUPS itself doesn't need a printcap
+anymore, the <TT
+CLASS="FILENAME"
+>cupsd.conf</TT
+> configuration file knows two directives
+(example: <B
+CLASS="COMMAND"
+>Printcap /etc/printcap</B
+> and <B
+CLASS="COMMAND"
+>PrintcapFormat
+BSD</B
+>), which control if such a file should be created for the
+convenience of third party applications. Make sure it is set! For details see
+<B
+CLASS="COMMAND"
+>man cupsd.conf</B
+> and other CUPS-related documentation.</P
+><P
+>If SAMBA is compiled against libcups, then <B
+CLASS="COMMAND"
+>printcap = cups</B
+> uses the
+CUPS API to list printers, submit jobs, etc. Otherwise it maps to the System V commands
+with an additional <VAR
+CLASS="PARAMETER"
+>-oraw</VAR
+> option for printing. On a Linux system,
+you can use the <B
+CLASS="COMMAND"
+>ldd</B
+> command to find out details (ldd may not be
+present on other OS platforms, or its function may be embodied by a different command):</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>transmeta:/home/kurt # ldd `which smbd`
+ libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x4002d000)
+ libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x4005a000)
+ libcups.so.2 => /usr/lib/libcups.so.2 (0x40123000)
+ libdl.so.2 => /lib/libdl.so.2 (0x401e8000)
+ libnsl.so.1 => /lib/libnsl.so.1 (0x401ec000)
+ libpam.so.0 => /lib/libpam.so.0 (0x40202000)
+ libc.so.6 => /lib/libc.so.6 (0x4020b000)
+ /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)</PRE
+></P
+><P
+>The line "libcups.so.2 => /usr/lib/libcups.so.2
+(0x40123000)" shows there is CUPS support compiled into this version of
+Samba. If this is the case, and <B
+CLASS="COMMAND"
+>printing = cups</B
+> is set, then any
+otherwise manually set print command in smb.conf is ignored.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN2026"
+>13.3. CUPS - RAW Print Through Mode</A
+></H2
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>When used in raw print through mode is will be necessary to use the printer
+vendor's drivers in each Windows client PC.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>When CUPS printers are configured for RAW print-through mode operation it is the
+responsibility of the Samba client to fully render the print job (file) in a format
+that is suitable for direct delivery to the printer. In this case CUPS will NOT
+do any print file format conversion work.</P
+><P
+>The CUPS files that need to be correctly set for RAW mode printers to work are:
+
+<P
+></P
+><UL
+><LI
+><P
+><TT
CLASS="FILENAME"
>/etc/cups/mime.types</TT
></P
@@ -10545,170 +10731,516 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN2044"
->15.3. The CUPS Filter Chains</A
+NAME="AEN2083"
+>13.4. CUPS as a network PostScript RIP -- CUPS drivers working on server, Adobe
+PostScript driver with CUPS-PPDs downloaded to clients</A
></H2
><P
->The following diagrams reveal how CUPS handles print jobs.</P
+>CUPS is perfectly able to use PPD files (PostScript
+Printer Descriptions). PPDs can control all print device options. They
+are usually provided by the manufacturer -- if you own a PostSript printer,
+that is. PPD files are always a component of PostScript printer drivers on MS
+Windows or Apple Mac OS systems. They are ASCII files containing
+user-selectable print options, mapped to appropriate PostScript, PCL or PJL
+commands for the target printer. Printer driver GUI dialogs translate these
+options "on-the-fly" into buttons and drop-down lists for the user to
+select.</P
+><P
+>CUPS can load, without any conversions, the PPD file from
+any Windows (NT is recommended) PostScript driver and handle the options.
+There is a web browser interface to the print options (select
+http://localhost:631/printers/ and click on one "Configure Printer" button
+to see it), a commandline interface (see <B
+CLASS="COMMAND"
+>man lpoptions</B
+> or
+try if you have <B
+CLASS="COMMAND"
+>lphelp</B
+> on your system) plus some different GUI frontends on Linux
+UNIX, which can present PPD options to the users. PPD options are normally
+meant to become evaluated by the PostScript RIP on the real PostScript
+printer.</P
+><P
+>CUPS doesn't stop at "real" PostScript printers in its
+usage of PPDs. The CUPS developers have extended the PPD concept, to also
+describe available device and driver options for non-PostScript printers
+through CUPS-PPDs.</P
+><P
+>This is logical, as CUPS includes a fully featured
+PostScript interpreter (RIP). This RIP is based on Ghostscript. It can
+process all received PostScript (and additionally many other file formats)
+from clients. All CUPS-PPDs geared to non-PostScript printers contain an
+additional line, starting with the keyword <VAR
+CLASS="PARAMETER"
+>*cupsFilter</VAR
+>.
+This line
+tells the CUPS print system which printer-specific filter to use for the
+interpretation of the accompanying PostScript. Thus CUPS lets all its
+printers appear as PostScript devices to its clients, because it can act as a
+PostScript RIP for those printers, processing the received PostScript code
+into a proper raster print format.</P
+><P
+>CUPS-PPDs can also be used on Windows-Clients, on top of a
+PostScript driver (recommended is the Adobe one).</P
+><P
+>This feature enables CUPS to do a few tricks no other
+spooler can do:</P
+><P
+></P
+><UL
+><LI
+><P
+>act as a networked PostScript RIP (Raster Image Processor), handling
+ printfiles from all client platforms in a uniform way;</P
+></LI
+><LI
+><P
+>act as a central accounting and billing server, as all files are passed
+ through the <B
+CLASS="COMMAND"
+>pstops</B
+> Filter and are therefor logged in
+ the CUPS <TT
+CLASS="FILENAME"
+>page_log</TT
+>. - <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>NOTE: </I
+></SPAN
+>this
+ can not happen with "raw" print jobs, which always remain unfiltered
+ per definition;</P
+></LI
+><LI
+><P
+>enable clients to consolidate on a single PostScript driver, even for
+ many different target printers.</P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN2104"
+>13.5. Windows Terminal Servers (WTS) as CUPS clients</A
+></H2
+><P
+>This setup may be of special interest to people
+experiencing major problems in WTS environments. WTS need often a multitude
+of non-PostScript drivers installed to run their clients' variety of
+different printer models. This often imposes the price of much increased
+instability. In many cases, in an attempt to overcome this problem, site
+administrators have resorted to restrict the allowed drivers installed on
+their WTS to one generic PCL- and one PostScript driver. This however
+restricts the clients in the amount of printer options available for them --
+often they can't get out more then simplex prints from one standard paper
+tray, while their devices could do much better, if driven by a different
+driver!</P
+><P
+>Using an Adobe PostScript driver, enabled with a CUPS-PPD,
+seems to be a very elegant way to overcome all these shortcomings. The
+PostScript driver is not known to cause major stability problems on WTS (even
+if used with many different PPDs). The clients will be able to (again) chose
+paper trays, duplex printing and other settings. However, there is a certain
+price for this too: a CUPS server acting as a PostScript RIP for its clients
+requires more CPU and RAM than just to act as a "raw spooling" device. Plus,
+this setup is not yet widely tested, although the first feedbacks look very
+promising...</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN2108"
+>13.6. Setting up CUPS for driver download</A
+></H2
+><P
+>The <B
+CLASS="COMMAND"
+>cupsadsmb</B
+> utility (shipped with all current
+CUPS versions) makes the sharing of any (or all) installed CUPS printers very
+easy. Prior to using it, you need the following settings in smb.conf:</P
+><P
><PRE
CLASS="PROGRAMLISTING"
->#########################################################################
-#
-# CUPS in and of itself has this (general) filter chain (CAPITAL
-# letters are FILE-FORMATS or MIME types, other are filters (this is
-# true for pre-1.1.15 of pre-4.3 versions of CUPS and ESP PrintPro):
-#
-# <VAR
-CLASS="REPLACEABLE"
->SOMETHNG</VAR
->-FILEFORMAT
-# |
-# |
-# V
-# <VAR
-CLASS="REPLACEABLE"
->something</VAR
->tops
-# |
-# |
-# V
-# APPLICATION/POSTSCRIPT
-# |
-# |
-# V
-# pstops
-# |
-# |
-# V
-# APPLICATION/VND.CUPS-POSTSCRIPT
-# |
-# |
-# V
-# pstoraster # as shipped with CUPS, independent from any Ghostscipt
-# | # installation on the system
-# | (= "postscipt interpreter")
-# |
-# V
-# APPLICATION/VND.CUPS-RASTER
-# |
-# |
-# V
-# rasterto<VAR
-CLASS="REPLACEABLE"
->something</VAR
-> (f.e. Gimp-Print filters may be plugged in here)
-# | (= "raster driver")
-# |
-# V
-# SOMETHING-DEVICE-SPECIFIC
-# |
-# |
-# V
-# backend
-#
-#
-# ESP PrintPro has some enhanced "rasterto<VAR
-CLASS="REPLACEABLE"
->something</VAR
->" filters as compared to
-# CUPS, and also a somewhat improved "pstoraster" filter.
-#
-# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
-# CUPS and ESP PrintPro plug-in where rasterto<VAR
-CLASS="REPLACEABLE"
->something</VAR
-> is noted.
-#
-#########################################################################</PRE
+>[global]
+ load printers = yes
+ printing = cups
+ printcap name = cups
+
+ [printers]
+ comment = All Printers
+ path = /var/spool/samba
+ browseable = no
+ public = yes
+ guest ok = yes
+ writable = no
+ printable = yes
+ printer admin = root
+
+ [print$]
+ comment = Printer Drivers
+ path = /etc/samba/drivers
+ browseable = yes
+ guest ok = no
+ read only = yes
+ write list = root
+ </PRE
+></P
+><P
+>For licensing reasons the necessary files of the Adobe
+Postscript driver can not be distributed with either Samba or CUPS. You need
+to download them yourself from the Adobe website. Once extracted, create a
+<TT
+CLASS="FILENAME"
+>drivers</TT
+> directory in the CUPS data directory (usually
+<TT
+CLASS="FILENAME"
+>/usr/share/cups/</TT
+>). Copy the Adobe files using
+UPPERCASE filenames, to this directory as follows:</P
+><P
><PRE
CLASS="PROGRAMLISTING"
->#########################################################################
-#
-# This is how "cupsomatic" comes into play:
-# =========================================
-#
-# <VAR
-CLASS="REPLACEABLE"
->SOMETHNG</VAR
->-FILEFORMAT
-# |
-# |
-# V
-# <VAR
-CLASS="REPLACEABLE"
->something</VAR
->tops
-# |
-# |
-# V
-# APPLICATION/POSTSCRIPT
-# |
-# |
-# V
-# pstops
-# |
-# |
-# V
-# APPLICATION/VND.CUPS-POSTSCRIPT ----------------+
-# | |
-# | V
-# V cupsomatic
-# pstoraster (constructs complicated
-# | (= "postscipt interpreter") Ghostscript commandline
-# | to let the file be
-# V processed by a
-# APPLICATION/VND.CUPS-RASTER "-sDEVICE=<VAR
-CLASS="REPLACEABLE"
->s.th.</VAR
->"
-# | call...)
-# | |
-# V |
-# rasterto<VAR
-CLASS="REPLACEABLE"
->something</VAR
-> V
-# | (= "raster driver") +-------------------------+
-# | | Ghostscript at work.... |
-# V | |
-# SOMETHING-DEVICE-SPECIFIC *-------------------------+
-# | |
-# | |
-# V |
-# backend >------------------------------------+
-# |
-# |
-# V
-# THE PRINTER
-#
-#
-# Note, that cupsomatic "kidnaps" the printfile after the
-# "APPLICATION/VND.CUPS-POSTSCRPT" stage and deviates it through
-# the CUPS-external, systemwide Ghostscript installation, bypassing the
-# "pstoraster" filter (therefor also bypassing the CUPS-raster-drivers
-# "rasterto<VAR
-CLASS="REPLACEABLE"
->something</VAR
->", and hands the rasterized file directly to the CUPS
-# backend...
-#
-# cupsomatic is not made by the CUPS developers. It is an independent
-# contribution to printing development, made by people from
-# Linuxprinting.org. (see also http://www.cups.org/cups-help.html)
-#
-# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
-# CUPS and ESP PrintPro plug-in where rasterto<VAR
-CLASS="REPLACEABLE"
->something</VAR
-> is noted.
-#
-#########################################################################</PRE
+> ADFONTS.MFM
+ ADOBEPS4.DRV
+ ADOBEPS4.HLP
+ ADOBEPS5.DLL
+ ADOBEPSU.DLL
+ ADOBEPSU.HLP
+ DEFPRTR2.PPD
+ ICONLIB.DLL
+ </PRE
+></P
+><P
+>Users of the ESP Print Pro software are able to install
+their "Samba Drivers" package for this purpose with no problem.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN2120"
+>13.7. Sources of CUPS drivers / PPDs</A
+></H2
+><P
+>On the internet you can find now many thousand CUPS-PPD
+files (with their companion filters), in many national languages,
+supporting more than 1.000 non-PostScript models.</P
+><P
+></P
+><UL
+><LI
+><P
+><A
+HREF="http://wwwl.easysw.com/printpro/"
+TARGET="_top"
+>ESP PrintPro
+ (http://wwwl.easysw.com/printpro/)</A
+>
+ (commercial, non-Free) is packaged with more than 3.000 PPDs, ready for
+ successful usage "out of the box" on Linux, IBM-AIX, HP-UX, Sun-Solaris,
+ SGI-IRIX, Compaq Tru64, Digital Unix and some more commercial Unices (it
+ is written by the CUPS developers themselves and its sales help finance
+ the further development of CUPS, as they feed their creators)</P
+></LI
+><LI
+><P
+>the <A
+HREF="http://gimp-print.sourceforge.net/"
+TARGET="_top"
+>Gimp-Print-Project
+ (http://gimp-print.sourceforge.net/)</A
+>
+ (GPL, Free Software) provides around 120 PPDs (supporting nearly 300
+ printers, many driven to photo quality output), to be used alongside the
+ Gimp-Print CUPS filters;</P
+></LI
+><LI
+><P
+><A
+HREF="http://www.turboprint.com/"
+TARGET="_top"
+>TurboPrint
+ (http://www.turboprint.com/)</A
+>
+ (Shareware, non-Freee) supports roughly the same amount of printers in
+ excellent quality;</P
+></LI
+><LI
+><P
+><A
+HREF="http://www-124.ibm.com/developerworks/oss/linux/projects/omni/"
+TARGET="_top"
+>OMNI
+ (http://www-124.ibm.com/developerworks/oss/linux/projects/omni/)</A
+>
+ (LPGL, Free) is a package made by IBM, now containing support for more
+ than 400 printers, stemming from the inheritance of IBM OS/2 KnowHow
+ ported over to Linux (CUPS support is in a Beta-stage at present);</P
+></LI
+><LI
+><P
+><A
+HREF="http://hpinkjet.sourceforge.net/"
+TARGET="_top"
+>HPIJS
+ (http://hpinkjet.sourceforge.net/)</A
+>
+ (BSD-style licnes, Free) supports around 120 of HP's own printers and is
+ also providing excellent print quality now;</P
+></LI
+><LI
+><P
+><A
+HREF="http://www.linuxprinting.org/"
+TARGET="_top"
+>Foomatic/cupsomatic (http://www.linuxprinting.org/)</A
+>
+ (LPGL, Free) from Linuxprinting.org are providing PPDs for practically every
+ Ghostscript filter known to the world, now usable with CUPS.</P
+></LI
+></UL
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>NOTE: </I
+></SPAN
+>the cupsomatic trick from Linuxprinting.org is
+working different from the other drivers. While the other drivers take the
+generic CUPS raster (produced by CUPS' own pstoraster PostScript RIP) as
+their input, cupsomatic "kidnaps" the PostScript inside CUPS, before
+RIP-ping, deviates it to an external Ghostscript installation (which now
+becomes the RIP) and gives it back to a CUPS backend once Ghostscript is
+finished. -- CUPS versions from 1.1.15 and later will provide their pstoraster
+PostScript RIP function again inside a system-wide Ghostscript
+installation rather than in "their own" pstoraster filter. (This
+CUPS-enabling Ghostscript version may be installed either as a
+patch to GNU or AFPL Ghostscript, or as a complete ESP Ghostscript package).
+However, this will not change the cupsomatic approach of guiding the printjob
+along a different path through the filtering system than the standard CUPS
+way...</P
+><P
+>Once you installed a printer inside CUPS with one of the
+recommended methods (the lpadmin command, the web browser interface or one of
+the available GUI wizards), you can use <B
+CLASS="COMMAND"
+>cupsaddsmb</B
+> to share the
+printer via Samba. <B
+CLASS="COMMAND"
+>cupsaddsmb</B
+> prepares the driver files for
+comfortable client download and installation upon their first contact with
+this printer share.</P
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN2147"
+>13.7.1. <B
+CLASS="COMMAND"
+>cupsaddsmb</B
+></A
+></H3
+><P
+>The <B
+CLASS="COMMAND"
+>cupsaddsmb</B
+> command copies the needed files
+for convenient Windows client installations from the previously prepared CUPS
+data directory to your [print$] share. Additionally, the PPD
+associated with this printer is copied from <TT
+CLASS="FILENAME"
+>/etc/cups/ppd/</TT
+> to
+[print$].</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+><SAMP
+CLASS="PROMPT"
+>root# </SAMP
+> <B
+CLASS="COMMAND"
+>cupsaddsmb -U root infotec_IS2027</B
+>
+Password for root required to access localhost via SAMBA: <KBD
+CLASS="USERINPUT"
+>[type in password 'secret']</KBD
+></PRE
+></P
+><P
+>To share all printers and drivers, use the <VAR
+CLASS="PARAMETER"
+>-a</VAR
+>
+parameter instead of a printer name.</P
+><P
+>Probably you want to see what's going on. Use the
+<VAR
+CLASS="PARAMETER"
+>-v</VAR
+> parameter to get a more verbose output:</P
+><P
+>Probably you want to see what's going on. Use the
+<VAR
+CLASS="PARAMETER"
+>-v</VAR
+> parameter to get a more verbose output:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+>Note: The following line shave been wrapped so that information is not lost.
+
+<SAMP
+CLASS="PROMPT"
+>root# </SAMP
+> cupsaddsmb -v -U root infotec_IS2027
+ Password for root required to access localhost via SAMBA:
+ Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir W32X86;put
+ /var/spool/cups/tmp/3cd1cc66376c0 W32X86/infotec_IS2027.PPD;put /usr/share/cups/drivers/
+ ADOBEPS5.DLL W32X86/ADOBEPS5.DLL;put /usr/share/cups/drivers/ADOBEPSU.DLLr
+ W32X86/ADOBEPSU.DLL;put /usr/share/cups/drivers/ADOBEPSU.HLP W32X86/ADOBEPSU.HLP'
+ added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0
+ added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0
+ added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0
+ Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs]
+ NT_STATUS_OBJECT_NAME_COLLISION making remote directory \W32X86
+ putting file /var/spool/cups/tmp/3cd1cc66376c0 as \W32X86/infotec_IS2027.PPD (17394.6 kb/s)
+ (average 17395.2 kb/s)
+ putting file /usr/share/cups/drivers/ADOBEPS5.DLL as \W32X86/ADOBEPS5.DLL (10877.4 kb/s)
+ (average 11343.0 kb/s)
+ putting file /usr/share/cups/drivers/ADOBEPSU.DLL as \W32X86/ADOBEPSU.DLL (5095.2 kb/s)
+ (average 9260.4 kb/s)
+ putting file /usr/share/cups/drivers/ADOBEPSU.HLP as \W32X86/ADOBEPSU.HLP (8828.7 kb/s)
+ (average 9247.1 kb/s)
+
+ Running command: smbclient //localhost/print\$ -N -U'root%secret' -c 'mkdir WIN40;put
+ /var/spool/cups/tmp/3cd1cc66376c0 WIN40/infotec_IS2027.PPD;put
+ /usr/share/cups/drivers/ADFONTS.MFM WIN40/ADFONTS.MFM;put
+ /usr/share/cups/drivers/ADOBEPS4.DRV WIN40/ADOBEPS4.DRV;put
+ /usr/share/cups/drivers/ADOBEPS4.HLP WIN40/ADOBEPS4.HLP;put
+ /usr/share/cups/drivers/DEFPRTR2.PPD WIN40/DEFPRTR2.PPD;put
+ /usr/share/cups/drivers/ICONLIB.DLL WIN40/ICONLIB.DLL;put
+ /usr/share/cups/drivers/PSMON.DLL WIN40/PSMON.DLL;'
+ added interface ip=10.160.16.45 bcast=10.160.31.255 nmask=255.255.240.0
+ added interface ip=192.168.182.1 bcast=192.168.182.255 nmask=255.255.255.0
+ added interface ip=172.16.200.1 bcast=172.16.200.255 nmask=255.255.255.0
+ Domain=[TUX-NET] OS=[Unix] Server=[Samba 2.2.3a.200204262025cvs]
+ NT_STATUS_OBJECT_NAME_COLLISION making remote directory \WIN40
+ putting file /var/spool/cups/tmp/3cd1cc66376c0 as \WIN40/infotec_IS2027.PPD (26091.5 kb/s)
+ (average 26092.8 kb/s)
+ putting file /usr/share/cups/drivers/ADFONTS.MFM as \WIN40/ADFONTS.MFM (11241.6 kb/s)
+ (average 11812.9 kb/s)
+ putting file /usr/share/cups/drivers/ADOBEPS4.DRV as \WIN40/ADOBEPS4.DRV (16640.6 kb/s)
+ (average 14679.3 kb/s)
+ putting file /usr/share/cups/drivers/ADOBEPS4.HLP as \WIN40/ADOBEPS4.HLP (11285.6 kb/s)
+ (average 14281.5 kb/s)
+ putting file /usr/share/cups/drivers/DEFPRTR2.PPD as \WIN40/DEFPRTR2.PPD (823.5 kb/s)
+ (average 12944.0 kb/s)
+ putting file /usr/share/cups/drivers/ICONLIB.DLL as \WIN40/ICONLIB.DLL (19226.2 kb/s)
+ (average 13169.7 kb/s)
+ putting file /usr/share/cups/drivers/PSMON.DLL as \WIN40/PSMON.DLL (18666.1 kb/s)
+ (average 13266.7 kb/s)
+
+ Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows NT x86"
+ "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:ADOBEPSU.HLP:NULL:RAW:NULL"'
+ cmd = adddriver "Windows NT x86" "infotec_IS2027:ADOBEPS5.DLL:infotec_IS2027.PPD:ADOBEPSU.DLL:
+ ADOBEPSU.HLP:NULL:RAW:NULL"
+ Printer Driver infotec_IS2027 successfully installed.
+
+ Running command: rpcclient localhost -N -U'root%secret' -c 'adddriver "Windows 4.0"
+ "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:ADOBEPS4.HLP:PSMON.DLL:RAW:
+ ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"'
+ cmd = adddriver "Windows 4.0" "infotec_IS2027:ADOBEPS4.DRV:infotec_IS2027.PPD:NULL:
+ ADOBEPS4.HLP:PSMON.DLL:RAW:ADFONTS.MFM,DEFPRTR2.PPD,ICONLIB.DLL"
+ Printer Driver infotec_IS2027 successfully installed.
+
+ Running command: rpcclient localhost -N -U'root%secret'
+ -c 'setdriver infotec_IS2027 infotec_IS2027'
+ cmd = setdriver infotec_IS2027 infotec_IS2027
+ Succesfully set infotec_IS2027 to driver infotec_IS2027.
+
+ <SAMP
+CLASS="PROMPT"
+>root# </SAMP
+></PRE
+></P
+><P
+>If you look closely, you'll discover your root password was transfered unencrypted over
+the wire, so beware! Also, if you look further her, you'll discover error messages like
+<CODE
+CLASS="CONSTANT"
+>NT_STATUS_OBJECT_NAME_COLLISION</CODE
+> in between. They occur, because
+the directories <TT
+CLASS="FILENAME"
+>WIN40</TT
+> and <TT
+CLASS="FILENAME"
+>W32X86</TT
+> already
+existed in the [print$] driver download share (from a previous driver
+installation). They are harmless here.</P
+><P
+>Now your printer is prepared for the clients to use. From
+a client, browse to the CUPS/Samba server, open the "Printers"
+share, right-click on this printer and select "Install..." or
+"Connect..." (depending on the Windows version you use). Now their
+should be a new printer in your client's local "Printers" folder,
+named (in my case) "infotec_IS2027 on kdebitshop"</P
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>NOTE: </I
+></SPAN
+>
+<B
+CLASS="COMMAND"
+>cupsaddsmb</B
+> will only reliably work i
+with CUPS version 1.1.15 or higher
+and Samba from 2.2.4. If it doesn't work, or if the automatic printer
+driver download to the clients doesn't succeed, you can still manually
+install the CUPS printer PPD on top of the Adobe PostScript driver on
+clients and then point the client's printer queue to the Samba printer
+share for connection, should you desire to use the CUPS networked
+PostScript RIP functions.</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN2176"
+>13.8. The CUPS Filter Chains</A
+></H2
+><P
+>The following diagrams reveal how CUPS handles print jobs.</P
><PRE
CLASS="PROGRAMLISTING"
>#########################################################################
#
-# And this is how it works for ESP PrintPro from 4.3:
-# ===================================================
+# CUPS in and of itself has this (general) filter chain (CAPITAL
+# letters are FILE-FORMATS or MIME types, other are filters (this is
+# true for pre-1.1.15 of pre-4.3 versions of CUPS and ESP PrintPro):
#
# <VAR
CLASS="REPLACEABLE"
@@ -10736,7 +11268,8 @@ CLASS="REPLACEABLE"
# |
# |
# V
-# gsrip
+# pstoraster # as shipped with CUPS, independent from any Ghostscipt
+# | # installation on the system
# | (= "postscipt interpreter")
# |
# V
@@ -10757,6 +11290,13 @@ CLASS="REPLACEABLE"
# V
# backend
#
+#
+# ESP PrintPro has some enhanced "rasterto<VAR
+CLASS="REPLACEABLE"
+>something</VAR
+>" filters as compared to
+# CUPS, and also a somewhat improved "pstoraster" filter.
+#
# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
# CUPS and ESP PrintPro plug-in where rasterto<VAR
CLASS="REPLACEABLE"
@@ -10768,9 +11308,8 @@ CLASS="REPLACEABLE"
CLASS="PROGRAMLISTING"
>#########################################################################
#
-# This is how "cupsomatic" would come into play with ESP PrintPro:
-# ================================================================
-#
+# This is how "cupsomatic" comes into play:
+# =========================================
#
# <VAR
CLASS="REPLACEABLE"
@@ -10798,7 +11337,7 @@ CLASS="REPLACEABLE"
# | |
# | V
# V cupsomatic
-# gsrip (constructs complicated
+# pstoraster (constructs complicated
# | (= "postscipt interpreter") Ghostscript commandline
# | to let the file be
# V processed by a
@@ -10813,7 +11352,7 @@ CLASS="REPLACEABLE"
CLASS="REPLACEABLE"
>something</VAR
> V
-# | (= "raster driver") +-------------------------+
+# | (= "raster driver") +-------------------------+
# | | Ghostscript at work.... |
# V | |
# SOMETHING-DEVICE-SPECIFIC *-------------------------+
@@ -10826,6 +11365,21 @@ CLASS="REPLACEABLE"
# V
# THE PRINTER
#
+#
+# Note, that cupsomatic "kidnaps" the printfile after the
+# "APPLICATION/VND.CUPS-POSTSCRPT" stage and deviates it through
+# the CUPS-external, systemwide Ghostscript installation, bypassing the
+# "pstoraster" filter (therefor also bypassing the CUPS-raster-drivers
+# "rasterto<VAR
+CLASS="REPLACEABLE"
+>something</VAR
+>", and hands the rasterized file directly to the CUPS
+# backend...
+#
+# cupsomatic is not made by the CUPS developers. It is an independent
+# contribution to printing development, made by people from
+# Linuxprinting.org. (see also http://www.cups.org/cups-help.html)
+#
# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
# CUPS and ESP PrintPro plug-in where rasterto<VAR
CLASS="REPLACEABLE"
@@ -10837,8 +11391,8 @@ CLASS="REPLACEABLE"
CLASS="PROGRAMLISTING"
>#########################################################################
#
-# And this is how it works for CUPS from 1.1.15:
-# ==============================================
+# And this is how it works for ESP PrintPro from 4.3:
+# ===================================================
#
# <VAR
CLASS="REPLACEABLE"
@@ -10862,27 +11416,22 @@ CLASS="REPLACEABLE"
# |
# |
# V
-# APPLICATION/VND.CUPS-POSTSCRIPT-----+
-# |
-# +------------------v------------------------------+
-# | Ghostscript |
-# | at work... |
-# | (with |
-# | "-sDEVICE=cups") |
-# | |
-# | (= "postscipt interpreter") |
-# | |
-# +------------------v------------------------------+
-# |
-# |
-# APPLICATION/VND.CUPS-RASTER >-------+
+# APPLICATION/VND.CUPS-POSTSCRIPT
+# |
+# |
+# V
+# gsrip
+# | (= "postscipt interpreter")
+# |
+# V
+# APPLICATION/VND.CUPS-RASTER
# |
# |
# V
# rasterto<VAR
CLASS="REPLACEABLE"
>something</VAR
->
+> (f.e. Gimp-Print filters may be plugged in here)
# | (= "raster driver")
# |
# V
@@ -10892,22 +11441,6 @@ CLASS="REPLACEABLE"
# V
# backend
#
-#
-# NOTE: since version 1.1.15 CUPS "outsourced" the pstoraster process to
-# Ghostscript. GNU Ghostscript needs to be patched to handle the
-# CUPS requirement; ESP Ghostscript has this builtin. In any case,
-# "gs -h" needs to show up a "cups" device. pstoraster is now a
-# calling an appropriate "gs -sDEVICE=cups..." commandline to do
-# the job. It will output "application/vnd.cup-raster", which will
-# be finally processed by a CUPS raster driver "rasterto<VAR
-CLASS="REPLACEABLE"
->something</VAR
->"
-# Note the difference to "cupsomatic", which will *not* output
-# CUPS-raster, but a final version of the printfile, ready to be
-# sent to the printer. cupsomatic also doesn't use the "cups"
-# devicemode in Ghostscript, but one of the classical devicemodes....
-#
# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
# CUPS and ESP PrintPro plug-in where rasterto<VAR
CLASS="REPLACEABLE"
@@ -10919,8 +11452,9 @@ CLASS="REPLACEABLE"
CLASS="PROGRAMLISTING"
>#########################################################################
#
-# And this is how it works for CUPS from 1.1.15, with cupsomatic included:
-# ========================================================================
+# This is how "cupsomatic" would come into play with ESP PrintPro:
+# ================================================================
+#
#
# <VAR
CLASS="REPLACEABLE"
@@ -10929,7 +11463,7 @@ CLASS="REPLACEABLE"
# |
# |
# V
-# <VAR
+# <VAR
CLASS="REPLACEABLE"
>something</VAR
>tops
@@ -10940,20 +11474,170 @@ CLASS="REPLACEABLE"
# |
# |
# V
-# pstops
+# pstops
# |
# |
# V
-# APPLICATION/VND.CUPS-POSTSCRIPT-----+
-# |
-# +------------------v------------------------------+
-# | Ghostscript . Ghostscript at work.... |
-# | at work... . (with "-sDEVICE= |
-# | (with . <VAR
-CLASS="REPLACEABLE"
->s.th.</VAR
->" |
-# | "-sDEVICE=cups") . |
+# APPLICATION/VND.CUPS-POSTSCRIPT ----------------+
+# | |
+# | V
+# V cupsomatic
+# gsrip (constructs complicated
+# | (= "postscipt interpreter") Ghostscript commandline
+# | to let the file be
+# V processed by a
+# APPLICATION/VND.CUPS-RASTER "-sDEVICE=<VAR
+CLASS="REPLACEABLE"
+>s.th.</VAR
+>"
+# | call...)
+# | |
+# V |
+# rasterto<VAR
+CLASS="REPLACEABLE"
+>something</VAR
+> V
+# | (= "raster driver") +-------------------------+
+# | | Ghostscript at work.... |
+# V | |
+# SOMETHING-DEVICE-SPECIFIC *-------------------------+
+# | |
+# | |
+# V |
+# backend >------------------------------------+
+# |
+# |
+# V
+# THE PRINTER
+#
+# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
+# CUPS and ESP PrintPro plug-in where rasterto<VAR
+CLASS="REPLACEABLE"
+>something</VAR
+> is noted.
+#
+#########################################################################</PRE
+><PRE
+CLASS="PROGRAMLISTING"
+>#########################################################################
+#
+# And this is how it works for CUPS from 1.1.15:
+# ==============================================
+#
+# <VAR
+CLASS="REPLACEABLE"
+>SOMETHNG</VAR
+>-FILEFORMAT
+# |
+# |
+# V
+# <VAR
+CLASS="REPLACEABLE"
+>something</VAR
+>tops
+# |
+# |
+# V
+# APPLICATION/POSTSCRIPT
+# |
+# |
+# V
+# pstops
+# |
+# |
+# V
+# APPLICATION/VND.CUPS-POSTSCRIPT-----+
+# |
+# +------------------v------------------------------+
+# | Ghostscript |
+# | at work... |
+# | (with |
+# | "-sDEVICE=cups") |
+# | |
+# | (= "postscipt interpreter") |
+# | |
+# +------------------v------------------------------+
+# |
+# |
+# APPLICATION/VND.CUPS-RASTER >-------+
+# |
+# |
+# V
+# rasterto<VAR
+CLASS="REPLACEABLE"
+>something</VAR
+>
+# | (= "raster driver")
+# |
+# V
+# SOMETHING-DEVICE-SPECIFIC
+# |
+# |
+# V
+# backend
+#
+#
+# NOTE: since version 1.1.15 CUPS "outsourced" the pstoraster process to
+# Ghostscript. GNU Ghostscript needs to be patched to handle the
+# CUPS requirement; ESP Ghostscript has this builtin. In any case,
+# "gs -h" needs to show up a "cups" device. pstoraster is now a
+# calling an appropriate "gs -sDEVICE=cups..." commandline to do
+# the job. It will output "application/vnd.cup-raster", which will
+# be finally processed by a CUPS raster driver "rasterto<VAR
+CLASS="REPLACEABLE"
+>something</VAR
+>"
+# Note the difference to "cupsomatic", which will *not* output
+# CUPS-raster, but a final version of the printfile, ready to be
+# sent to the printer. cupsomatic also doesn't use the "cups"
+# devicemode in Ghostscript, but one of the classical devicemodes....
+#
+# NOTE: Gimp-Print and some other 3rd-Party-Filters (like TurboPrint) to
+# CUPS and ESP PrintPro plug-in where rasterto<VAR
+CLASS="REPLACEABLE"
+>something</VAR
+> is noted.
+#
+#########################################################################</PRE
+><PRE
+CLASS="PROGRAMLISTING"
+>#########################################################################
+#
+# And this is how it works for CUPS from 1.1.15, with cupsomatic included:
+# ========================================================================
+#
+# <VAR
+CLASS="REPLACEABLE"
+>SOMETHNG</VAR
+>-FILEFORMAT
+# |
+# |
+# V
+# <VAR
+CLASS="REPLACEABLE"
+>something</VAR
+>tops
+# |
+# |
+# V
+# APPLICATION/POSTSCRIPT
+# |
+# |
+# V
+# pstops
+# |
+# |
+# V
+# APPLICATION/VND.CUPS-POSTSCRIPT-----+
+# |
+# +------------------v------------------------------+
+# | Ghostscript . Ghostscript at work.... |
+# | at work... . (with "-sDEVICE= |
+# | (with . <VAR
+CLASS="REPLACEABLE"
+>s.th.</VAR
+>" |
+# | "-sDEVICE=cups") . |
# | . |
# | (CUPS standard) . (cupsomatic) |
# | . |
@@ -10993,8 +11677,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN2083"
->15.4. CUPS Print Drivers and Devices</A
+NAME="AEN2215"
+>13.9. CUPS Print Drivers and Devices</A
></H2
><P
>CUPS ships with good support for HP LaserJet type printers. You can install
@@ -11023,8 +11707,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2090"
->15.4.1. Further printing steps</A
+NAME="AEN2222"
+>13.9.1. Further printing steps</A
></H3
><P
>Always also consult the database on linuxprinting.org for all recommendations
@@ -11079,7 +11763,8 @@ at "/some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd"</P
><P
><PRE
CLASS="PROGRAMLISTING"
-> "lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E -P /some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd"</PRE
+> "lpadmin -p laserjet4plus -v parallel:/dev/lp0 -E \
+ -P /some/path/on/your/filesystem/somewhere/my-name-for-my-printer.ppd"</PRE
></P
><P
>Note, that for all the "Foomatic-PPDs" from Linuxprinting.org, you also need
@@ -11347,8 +12032,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN2160"
->15.5. Limiting the number of pages users can print</A
+NAME="AEN2292"
+>13.10. Limiting the number of pages users can print</A
></H2
><P
>The feature you want is dependent on the real print subsystem you're using.
@@ -11365,7 +12050,8 @@ and are spanning any time period you want.</P
assuming an existing printer named "quotaprinter":</P
><PRE
CLASS="PROGRAMLISTING"
-> lpadmin -p quotaprinter -o job-quota-period=604800 -o job-k-limit=1024 -o job-page-limit=100</PRE
+> lpadmin -p quotaprinter -o job-quota-period=604800 -o job-k-limit=1024 \
+ -o job-page-limit=100</PRE
><P
>This would limit every single user to print 100 pages or 1024 KB of
data (whichever comes first) within the last 604.800 seconds ( = 1 week).</P
@@ -11404,7 +12090,7 @@ BORDER="0"
><TBODY
><TR
><TD
->>it guarantees to not write an PJL-header</TD
+>it guarantees to not write an PJL-header</TD
></TR
><TR
><TD
@@ -11429,28 +12115,56 @@ current with CUPS 1.1.16).</P
><P
>These are the items CUPS logs in the "page_log" for every single *page* of a job:</P
><P
-><PRE
-CLASS="PROGRAMLISTING"
-> * Printer name
- * User name
- * Job ID
- * Time of printing
- * the page number
- * the number of copies
- * a billing info string (optional)</PRE
+><P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>Printer name</TD
+></TR
+><TR
+><TD
+>User name</TD
+></TR
+><TR
+><TD
+>Job ID</TD
+></TR
+><TR
+><TD
+>Time of printing</TD
+></TR
+><TR
+><TD
+>the page number</TD
+></TR
+><TR
+><TD
+>the number of copies</TD
+></TR
+><TR
+><TD
+>a billing info string (optional)</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
></P
><P
>Here is an extract of my CUPS server's page_log file to illustrate
the format and included items:</P
><P
-><PRE
-CLASS="PROGRAMLISTING"
+><SAMP
+CLASS="COMPUTEROUTPUT"
> infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 1 2 #marketing
infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 2 2 #marketing
infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 3 2 #marketing
infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 4 2 #marketing
infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 5 2 #marketing
- infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 6 2 #marketing</PRE
+ infotec_IS2027 kurt 40 [22/Nov/2002:13:18:03 +0100] 6 2 #marketing</SAMP
></P
><P
>This was Job ID "40", printed on "infotec_IS2027" by user "kurt", a 6-page job
@@ -11513,7 +12227,7 @@ BORDER="0"
><TD
>page counting will go into the "backends" (these talk
directly to the printer and will increase the count in sync with the
- actual printing process -- a jam at the 5th sheet will lead to a stop in the counting)</TD
+ actual printing process -- a jam at the 5th sheet will lead to a stop in the counting)</TD
></TR
><TR
><TD
@@ -11546,14 +12260,16 @@ Windows NT/2k/XP Printer Driver for SAMBA (tar.gz, 192k)". The filename to
download is "cups-samba-1.1.16.tar.gz". Upon untar-/unzip-ping it will reveal
the files:</P
><P
-><PRE
-CLASS="PROGRAMLISTING"
-> cups-samba.install
- cups-samba.license
- cups-samba.readme
- cups-samba.remove
- cups-samba.ss</PRE
-></P
+> <SAMP
+CLASS="COMPUTEROUTPUT"
+> cups-samba.install
+ cups-samba.license
+ cups-samba.readme
+ cups-samba.remove
+ cups-samba.ss
+ </SAMP
+>
+ </P
><P
>These have been packaged with the ESP meta packager software "EPM". The
*.install and *.remove files are simple shell script, which untars the
@@ -11563,18 +12279,20 @@ CLASS="FILENAME"
>/usr/share/cups/drivers/</TT
>. Its contents are 3 files:</P
><P
-><PRE
-CLASS="PROGRAMLISTING"
-> cupsdrvr.dll
- cupsui.dll
- cups.hlp</PRE
-></P
+> <SAMP
+CLASS="COMPUTEROUTPUT"
+> cupsdrvr.dll
+ cupsui.dll
+ cups.hlp
+ </SAMP
+>
+ </P
><DIV
-CLASS="NOTE"
+CLASS="CAUTION"
><P
></P
><TABLE
-CLASS="NOTE"
+CLASS="CAUTION"
WIDTH="100%"
BORDER="0"
><TR
@@ -11583,14 +12301,14 @@ WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/caution.gif"
HSPACE="5"
-ALT="Note"></TD
+ALT="Caution"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
->ATTENTION: due to a bug one CUPS release puts the <TT
+>Due to a bug one CUPS release puts the <TT
CLASS="FILENAME"
>cups.hlp</TT
>
@@ -11604,10 +12322,12 @@ CLASS="FILENAME"
>. To work around this, copy/move
the file after running the "./cups-samba.install" script manually to the right place:</P
><P
-><PRE
-CLASS="PROGRAMLISTING"
-> cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/</PRE
-></P
+> <KBD
+CLASS="USERINPUT"
+> cp /usr/share/drivers/cups.hlp /usr/share/cups/drivers/
+ </KBD
+>
+ </P
></TD
></TR
></TABLE
@@ -11676,8 +12396,9 @@ ALT="Note"></TD
ALIGN="LEFT"
VALIGN="TOP"
><P
->NOTE 1: Win 9x/ME clients won't work with this driver. For these you'd
-still need to use the ADOBE*.* drivers as previously.</P
+> Win 9x/ME clients won't work with this driver. For these you'd
+ still need to use the ADOBE*.* drivers as previously.
+ </P
></TD
></TR
></TABLE
@@ -11703,10 +12424,11 @@ ALT="Note"></TD
ALIGN="LEFT"
VALIGN="TOP"
><P
->NOTE 2: It is not harming if you've still the ADOBE*.* driver files from
-previous installations in the "/usr/share/cups/drivers/" directory.
-The new cupsaddsmb (from 1.1.16) will automatically use the
-"newest" installed driver (which here then is the CUPS drivers).</P
+> It is not harming if you've still the ADOBE*.* driver files from
+ previous installations in the "/usr/share/cups/drivers/" directory.
+ The new cupsaddsmb (from 1.1.16) will automatically use the
+ "newest" installed driver (which here then is the CUPS drivers).
+ </P
></TD
></TR
></TABLE
@@ -11732,22 +12454,24 @@ ALT="Note"></TD
ALIGN="LEFT"
VALIGN="TOP"
><P
->NOTE 3: Should your Win clients have had the old ADOBE*.* files and the
-Adobe PostScript drivers installed, the download and installation
-of the new CUPS PostScript driver for Windows NT/2k/XP will fail
-at first.</P
-><P
->It is not enough to "delete" the printer (as the driver files
-will still be kept by the clients and re-used if you try to
-re-install the printer). To really get rid of the Adobe driver
-files on the clients, open the "Printers" folder (possibly via
-"Start --> Settings --> Control Panel --> Printers"), right-click
-onto the folder background and select "Server Properties". A
-new dialog opens; select the "Drivers" tab; on the list select
-the driver you want to delete and click on the "Delete" button.
-(This will only work if there is no single printer left which
-uses that particular driver -- you need to "delete" all printers
-using this driver in the "Printers" folder first.)</P
+> Should your Win clients have had the old ADOBE*.* files and the
+ Adobe PostScript drivers installed, the download and installation
+ of the new CUPS PostScript driver for Windows NT/2k/XP will fail
+ at first.
+ </P
+><P
+> It is not enough to "delete" the printer (as the driver files
+ will still be kept by the clients and re-used if you try to
+ re-install the printer). To really get rid of the Adobe driver
+ files on the clients, open the "Printers" folder (possibly via
+ "Start --> Settings --> Control Panel --> Printers"), right-click
+ onto the folder background and select "Server Properties". A
+ new dialog opens; select the "Drivers" tab; on the list select
+ the driver you want to delete and click on the "Delete" button.
+ (This will only work if there is no single printer left which
+ uses that particular driver -- you need to "delete" all printers
+ using this driver in the "Printers" folder first.)
+ </P
></TD
></TR
></TABLE
@@ -11773,10 +12497,11 @@ ALT="Note"></TD
ALIGN="LEFT"
VALIGN="TOP"
><P
->Once you have successfully downloaded the CUPS PostScript driver
-to a client, you can easily switch all printers to this one
-by proceeding as described elsewhere in the "Samba HOWTO
-Collection" to change a driver for an existing printer.</P
+> Once you have successfully downloaded the CUPS PostScript driver
+ to a client, you can easily switch all printers to this one
+ by proceeding as described elsewhere in the "Samba HOWTO
+ Collection" to change a driver for an existing printer.
+ </P
></TD
></TR
></TABLE
@@ -11870,8 +12595,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN2249"
->15.6. Advanced Postscript Printing from MS Windows</A
+NAME="AEN2388"
+>13.11. Advanced Postscript Printing from MS Windows</A
></H2
><P
>Let the Windows Clients use a PostScript driver to deliver poistscript to
@@ -11961,8 +12686,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN2264"
->15.7. Auto-Deletion of CUPS spool files</A
+NAME="AEN2403"
+>13.12. Auto-Deletion of CUPS spool files</A
></H2
><P
>Samba print files pass thru two "spool" directories. One the incoming directory
@@ -11975,11 +12700,27 @@ For CUPS it is normally "/var/spool/cups/", as set by the cupsd.conf directive
it is most likely the Samba part.</P
><P
>For the CUPS part, you may want to consult:</P
-><PRE
-CLASS="PROGRAMLISTING"
-> http://localhost:631/sam.html#PreserveJobFiles and
- http://localhost:631/sam.html#PreserveJobHistory and
- http://localhost:631/sam.html#MaxJobs</PRE
+><P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>http://localhost:631/sam.html#PreserveJobFiles</TD
+></TR
+><TR
+><TD
+>http://localhost:631/sam.html#PreserveJobHistory</TD
+></TR
+><TR
+><TD
+>http://localhost:631/sam.html#MaxJobs</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
><P
>There are the settings described for your CUPS daemon, which could lead to completed
job files not being deleted.</P
@@ -12074,10 +12815,10 @@ above.</P
><P
>If you have more problems, post the output of these commands:</P
><P
-><PRE
-CLASS="PROGRAMLISTING"
+><KBD
+CLASS="USERINPUT"
> grep -v ^# /etc/cups/cupsd.conf | grep -v ^$
- grep -v ^# /etc/samba/smb.conf | grep -v ^$ | grep -v "^;"</PRE
+ grep -v ^# /etc/samba/smb.conf | grep -v ^$ | grep -v "^;"</KBD
></P
><P
>(adapt paths as needed). These commands sanitize the files
@@ -12091,14 +12832,14 @@ CLASS="CHAPTER"
><A
NAME="WINBIND"
></A
->Chapter 16. Unified Logons between Windows NT and UNIX using Winbind</H1
+>Chapter 14. Unified Logons between Windows NT and UNIX using Winbind</H1
><DIV
CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN2326"
->16.1. Abstract</A
+NAME="AEN2469"
+>14.1. Abstract</A
></H2
><P
>Integration of UNIX and Microsoft Windows NT through
@@ -12124,8 +12865,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN2330"
->16.2. Introduction</A
+NAME="AEN2473"
+>14.2. Introduction</A
></H2
><P
>It is well known that UNIX and Microsoft Windows NT have
@@ -12178,8 +12919,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN2343"
->16.3. What Winbind Provides</A
+NAME="AEN2486"
+>14.3. What Winbind Provides</A
></H2
><P
>Winbind unifies UNIX and Windows NT account management by
@@ -12220,8 +12961,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2350"
->16.3.1. Target Uses</A
+NAME="AEN2493"
+>14.3.1. Target Uses</A
></H3
><P
>Winbind is targeted at organizations that have an
@@ -12244,8 +12985,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN2354"
->16.4. How Winbind Works</A
+NAME="AEN2497"
+>14.4. How Winbind Works</A
></H2
><P
>The winbind system is designed around a client/server
@@ -12264,8 +13005,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2359"
->16.4.1. Microsoft Remote Procedure Calls</A
+NAME="AEN2502"
+>14.4.1. Microsoft Remote Procedure Calls</A
></H3
><P
>Over the last few years, efforts have been underway
@@ -12290,8 +13031,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2363"
->16.4.2. Microsoft Active Directory Services</A
+NAME="AEN2506"
+>14.4.2. Microsoft Active Directory Services</A
></H3
><P
> Since late 2001, Samba has gained the ability to
@@ -12309,8 +13050,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2366"
->16.4.3. Name Service Switch</A
+NAME="AEN2509"
+>14.4.3. Name Service Switch</A
></H3
><P
>The Name Service Switch, or NSS, is a feature that is
@@ -12389,8 +13130,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2382"
->16.4.4. Pluggable Authentication Modules</A
+NAME="AEN2525"
+>14.4.4. Pluggable Authentication Modules</A
></H3
><P
>Pluggable Authentication Modules, also known as PAM,
@@ -12438,8 +13179,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2390"
->16.4.5. User and Group ID Allocation</A
+NAME="AEN2533"
+>14.4.5. User and Group ID Allocation</A
></H3
><P
>When a user or group is created under Windows NT
@@ -12464,8 +13205,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2394"
->16.4.6. Result Caching</A
+NAME="AEN2537"
+>14.4.6. Result Caching</A
></H3
><P
>An active system can generate a lot of user and group
@@ -12487,8 +13228,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN2397"
->16.5. Installation and Configuration</A
+NAME="AEN2540"
+>14.5. Installation and Configuration</A
></H2
><P
>Many thanks to John Trostel <A
@@ -12506,8 +13247,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2402"
->16.5.1. Introduction</A
+NAME="AEN2545"
+>14.5.1. Introduction</A
></H3
><P
>This HOWTO describes the procedures used to get winbind up and
@@ -12565,8 +13306,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2415"
->16.5.2. Requirements</A
+NAME="AEN2558"
+>14.5.2. Requirements</A
></H3
><P
>If you have a samba configuration file that you are currently
@@ -12635,8 +13376,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2429"
->16.5.3. Testing Things Out</A
+NAME="AEN2572"
+>14.5.3. Testing Things Out</A
></H3
><P
>Before starting, it is probably best to kill off all the SAMBA
@@ -12680,8 +13421,8 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN2440"
->16.5.3.1. Configure and compile SAMBA</A
+NAME="AEN2583"
+>14.5.3.1. Configure and compile SAMBA</A
></H4
><P
>The configuration and compilation of SAMBA is pretty straightforward.
@@ -12746,8 +13487,8 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN2459"
->16.5.3.2. Configure <TT
+NAME="AEN2602"
+>14.5.3.2. Configure <TT
CLASS="FILENAME"
>nsswitch.conf</TT
> and the
@@ -12851,8 +13592,8 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN2492"
->16.5.3.3. Configure smb.conf</A
+NAME="AEN2635"
+>14.5.3.3. Configure smb.conf</A
></H4
><P
>Several parameters are needed in the smb.conf file to control
@@ -12926,8 +13667,8 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN2508"
->16.5.3.4. Join the SAMBA server to the PDC domain</A
+NAME="AEN2651"
+>14.5.3.4. Join the SAMBA server to the PDC domain</A
></H4
><P
>Enter the following command to make the SAMBA server join the
@@ -12964,8 +13705,8 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN2519"
->16.5.3.5. Start up the winbindd daemon and test it!</A
+NAME="AEN2662"
+>14.5.3.5. Start up the winbindd daemon and test it!</A
></H4
><P
>Eventually, you will want to modify your smb startup script to
@@ -13100,16 +13841,16 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN2559"
->16.5.3.6. Fix the init.d startup scripts</A
+NAME="AEN2702"
+>14.5.3.6. Fix the init.d startup scripts</A
></H4
><DIV
CLASS="SECT4"
><H5
CLASS="SECT4"
><A
-NAME="AEN2561"
->16.5.3.6.1. Linux</A
+NAME="AEN2704"
+>14.5.3.6.1. Linux</A
></H5
><P
>The <B
@@ -13218,8 +13959,8 @@ CLASS="SECT4"
><HR><H5
CLASS="SECT4"
><A
-NAME="AEN2581"
->16.5.3.6.2. Solaris</A
+NAME="AEN2724"
+>14.5.3.6.2. Solaris</A
></H5
><P
>On solaris, you need to modify the
@@ -13302,8 +14043,8 @@ CLASS="SECT4"
><HR><H5
CLASS="SECT4"
><A
-NAME="AEN2591"
->16.5.3.6.3. Restarting</A
+NAME="AEN2734"
+>14.5.3.6.3. Restarting</A
></H5
><P
>If you restart the <B
@@ -13326,8 +14067,8 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN2597"
->16.5.3.7. Configure Winbind and PAM</A
+NAME="AEN2740"
+>14.5.3.7. Configure Winbind and PAM</A
></H4
><P
>If you have made it this far, you know that winbindd and samba are working
@@ -13384,8 +14125,8 @@ CLASS="SECT4"
><HR><H5
CLASS="SECT4"
><A
-NAME="AEN2614"
->16.5.3.7.1. Linux/FreeBSD-specific PAM configuration</A
+NAME="AEN2757"
+>14.5.3.7.1. Linux/FreeBSD-specific PAM configuration</A
></H5
><P
>The <TT
@@ -13513,8 +14254,8 @@ CLASS="SECT4"
><HR><H5
CLASS="SECT4"
><A
-NAME="AEN2647"
->16.5.3.7.2. Solaris-specific configuration</A
+NAME="AEN2790"
+>14.5.3.7.2. Solaris-specific configuration</A
></H5
><P
>The /etc/pam.conf needs to be changed. I changed this file so that my Domain
@@ -13600,8 +14341,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN2654"
->16.6. Limitations</A
+NAME="AEN2797"
+>14.6. Limitations</A
></H2
><P
>Winbind has a number of limitations in its current
@@ -13642,8 +14383,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN2664"
->16.7. Conclusion</A
+NAME="AEN2807"
+>14.7. Conclusion</A
></H2
><P
>The winbind system, through the use of the Name Service
@@ -13658,16 +14399,271 @@ NAME="AEN2664"
CLASS="CHAPTER"
><HR><H1
><A
-NAME="POLICYMGMT"
+NAME="ADVANCEDNETWORKMANAGEMENT"
></A
->Chapter 17. Policy Management - Hows and Whys</H1
+>Chapter 15. Advanced Network Manangement</H1
+><P
+>This section attempts to document peripheral issues that are of great importance to network
+administrators who want to improve network resource access control, to automate the user
+environment, and to make their lives a little easier.</P
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN2822"
+>15.1. Configuring Samba Share Access Controls</A
+></H2
+><P
+>This section deals with how to configure Samba per share access control restrictions.
+By default samba sets no restrictions on the share itself. Restrictions on the share itself
+can be set on MS Windows NT4/200x/XP shares. This can be a very effective way to limit who can
+connect to a share. In the absence of specific restrictions the default setting is to allow
+the global user <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Everyone</I
+></SPAN
+> Full Control (ie: Full control, Change and Read).</P
+><P
+>At this time Samba does NOT provide a tool for configuring access control setting on the Share
+itself. Samba does have the capacity to store and act on access control settings, but the only
+way to create those settings is to use either the NT4 Server Manager or the Windows 200x MMC for
+Computer Management.</P
+><P
+>Samba stores the per share access control settings in a file called <TT
+CLASS="FILENAME"
+>share_info.tdb</TT
+>.
+The location of this file on your system will depend on how samba was compiled. The default location
+for samba's tdb files is under <TT
+CLASS="FILENAME"
+>/usr/local/samba/var</TT
+>. If the <TT
+CLASS="FILENAME"
+>tdbdump</TT
+>
+utility has been compiled and installed on your system then you can examine the contents of this file
+by: <KBD
+CLASS="USERINPUT"
+>tdbdump share_info.tdb</KBD
+>.</P
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN2832"
+>15.1.1. Share Permissions Management</A
+></H3
+><P
+>The best tool for the task is platform dependant. Choose the best tool for your environmemt.</P
+><DIV
+CLASS="SECT3"
+><HR><H4
+CLASS="SECT3"
+><A
+NAME="AEN2835"
+>15.1.1.1. Windows NT4 Workstation/Server</A
+></H4
+><P
+>The tool you need to use to manage share permissions on a Samba server is the NT Server Manager.
+Server Manager is shipped with Windows NT4 Server products but not with Windows NT4 Workstation.
+You can obtain the NT Server Manager for MS Windows NT4 Workstation from Microsoft - see details below.</P
+><DIV
+CLASS="PROCEDURE"
+><P
+><B
+>Instructions</B
+></P
+><OL
+TYPE="1"
+><LI
+><P
+>Launch the NT4 Server Manager, click on the Samba server you want to administer, then from the menu
+select Computer, then click on the Shared Directories entry.</P
+></LI
+><LI
+><P
+> Now click on the share that you wish to manage, then click on the Properties tab, next click on
+ the Permissions tab. Now you can Add or change access control settings as you wish.</P
+></LI
+></OL
+></DIV
+></DIV
+><DIV
+CLASS="SECT3"
+><HR><H4
+CLASS="SECT3"
+><A
+NAME="AEN2844"
+>15.1.1.2. Windows 200x/XP</A
+></H4
+><P
+>On MS Windows NT4/200x/XP system access control lists on the share itself are set using native
+tools, usually from filemanager. For example, in Windows 200x: right click on the shared folder,
+then select 'Sharing', then click on 'Permissions'. The default Windows NT4/200x permission allows
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Everyone</I
+></SPAN
+> Full Control on the Share.</P
+><P
+>MS Windows 200x and later all comes with a tool called the 'Computer Management' snap-in for the
+Microsoft Management Console (MMC). This tool is located by clicking on <TT
+CLASS="FILENAME"
+>Control Panel ->
+Administrative Tools -> Computer Management</TT
+>.</P
+><DIV
+CLASS="PROCEDURE"
+><P
+><B
+>Instructions</B
+></P
+><OL
+TYPE="1"
+><LI
+><P
+> After launching the MMC with the Computer Management snap-in, click on the menu item 'Action',
+ select 'Connect to another computer'. If you are not logged onto a domain you will be prompted
+ to enter a domain login user identifier and a password. This will authenticate you to the domain.
+ If you where already logged in with administrative privilidge this step is not offered.</P
+></LI
+><LI
+><P
+>If the Samba server is not shown in the Select Computer box, then type in the name of the target
+Samba server in the field 'Name:'. Now click on the [+] next to 'System Tools', then on the [+]
+next to 'Shared Folders' in the left panel.</P
+></LI
+><LI
+><P
+>Now in the right panel, double-click on the share you wish to set access control permissions on.
+Then click on the tab 'Share Permissions'. It is now possible to add access control entities
+to the shared folder. Do NOT forget to set what type of access (full control, change, read) you
+wish to assign for each entry.</P
+></LI
+></OL
+></DIV
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif"
+HSPACE="5"
+ALT="Warning"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>Be careful. If you take away all permissions from the Everyone user without removing this user
+then effectively no user will be able to access the share. This is a result of what is known as
+ACL precidence. ie: Everyone with NO ACCESS means that MaryK who is part of the group Everyone
+will have no access even if this user is given explicit full control access.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN2860"
+>15.2. Remote Server Administration</A
+></H2
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>How do I get 'User Manager' and 'Server Manager'?</I
+></SPAN
+></P
+><P
+>Since I don't need to buy an NT4 Server, how do I get the 'User Manager for Domains',
+the 'Server Manager'?</P
+><P
+>Microsoft distributes a version of these tools called nexus for installation on Windows 9x / Me
+systems. The tools set includes:</P
+><P
+></P
+><UL
+><LI
+><P
+>Server Manager</P
+></LI
+><LI
+><P
+>User Manager for Domains</P
+></LI
+><LI
+><P
+>Event Viewer</P
+></LI
+></UL
+><P
+>Click here to download the archived file <A
+HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE"
+TARGET="_top"
+>ftp://ftp.microsoft.com/Softlib/MSLFILES/NEXUS.EXE</A
+></P
+><P
+>The Windows NT 4.0 version of the 'User Manager for
+Domains' and 'Server Manager' are available from Microsoft via ftp
+from <A
+HREF="ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE"
+TARGET="_top"
+>ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE</A
+></P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN2877"
+>15.3. Network Logon Script Magic</A
+></H2
+><P
+>This section needs work. Volunteer contributions most welcome. Please send your patches or updates
+to <A
+HREF="mailto:jht@samba.org"
+TARGET="_top"
+>John Terpstra</A
+>.</P
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="POLICYMGMT"
+></A
+>Chapter 16. System and Account Policies</H1
><DIV
CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN2678"
->17.1. System Policies</A
+NAME="AEN2892"
+>16.1. Creating and Managing System Policies</A
></H2
><P
>Under MS Windows platforms, particularly those following the release of MS Windows
@@ -13699,7 +14695,7 @@ CLASS="EMPHASIS"
>
under the <TT
CLASS="FILENAME"
->Start->Programs->Administrative Tools</TT
+>Start -> Programs -> Administrative Tools</TT
> menu item.
For MS Windows NT4 and later clients this file must be called <TT
CLASS="FILENAME"
@@ -13714,11 +14710,11 @@ complex tools and methods. To Microsoft's credit though, the MMC does appear to
be a step forward, but improved functionality comes at a great price.</P
><P
>Before embarking on the configuration of network and system policies it is highly
-advisable to read the documentation available from Microsoft's web site from
+advisable to read the documentation available from Microsoft's web site regarding
<A
HREF="http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp"
TARGET="_top"
->Implementing Profiles and Policies in Windows NT 4.0</A
+>Implementing Profiles and Policies in Windows NT 4.0 from http://www.microsoft.com/ntserver/management/deployment/planguide/prof_policies.asp</A
> available from Microsoft.
There are a large number of documents in addition to this old one that should also
be read and understood. Try searching on the Microsoft web site for "Group Policies".</P
@@ -13730,8 +14726,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2692"
->17.1.1. Creating and Managing Windows 9x/Me Policies</A
+NAME="AEN2906"
+>16.1.1. Windows 9x/Me Policies</A
></H3
><P
>You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me.
@@ -13739,25 +14735,25 @@ It can be found on the Original full product Win98 installation CD under
<TT
CLASS="FILENAME"
>tools/reskit/netadmin/poledit</TT
->. You install this using the
+>. Install this using the
Add/Remove Programs facility and then click on the 'Have Disk' tab.</P
><P
>Use the Group Policy Editor to create a policy file that specifies the location of
user profiles and/or the <TT
CLASS="FILENAME"
>My Documents</TT
-> etc. stuff. You then
+> etc. stuff. Then
save these settings in a file called <TT
CLASS="FILENAME"
>Config.POL</TT
> that needs to
-be placed in the root of the [NETLOGON] share. If your Win98 is configured to log onto
+be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto
the Samba Domain, it will automatically read this file and update the Win9x/Me registry
-of the machine that is logging on.</P
+of the machine as it logs on.</P
><P
>Further details are covered in the Win98 Resource Kit documentation.</P
><P
->If you do not do it this way, then every so often Win9x/Me will check the
+>If you do not take the right steps, then every so often Win9x/Me will check the
integrity of the registry and will restore it's settings from the back-up
copy of the registry it stores on each Win9x/Me machine. Hence, you will
occasionally notice things changing back to the original settings.</P
@@ -13780,8 +14776,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2704"
->17.1.2. Creating and Managing Windows NT4 Style Policy Files</A
+NAME="AEN2918"
+>16.1.2. Windows NT4 Style Policy Files</A
></H3
><P
>To create or edit <TT
@@ -13845,16 +14841,17 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN2719"
->17.1.2.1. Registry Tattoos</A
+NAME="AEN2933"
+>16.1.2.1. Registry Tattoos</A
></H4
><P
->With NT4 style registry based policy changes, a large number of settings are not
-automatically reversed as the user logs off. Since the settings that were in the
-NTConfig.POL file were applied to the client machine registry and that apply to the
-hive key HKEY_LOCAL_MACHINE are permanent until explicitly reveresd. This is known
-as tattooing. It can have serious consequences down-stream and the administrator must
-be extreemly careful not to lock out the ability to manage the machine at a later date.</P
+> With NT4 style registry based policy changes, a large number of settings are not
+ automatically reversed as the user logs off. Since the settings that were in the
+ NTConfig.POL file were applied to the client machine registry and that apply to the
+ hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
+ as tattooing. It can have serious consequences down-stream and the administrator must
+ be extremely careful not to lock out the ability to manage the machine at a later date.
+ </P
></DIV
></DIV
><DIV
@@ -13862,8 +14859,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2722"
->17.1.3. Creating and Managing MS Windows 200x Policies</A
+NAME="AEN2936"
+>16.1.3. MS Windows 200x / XP Professional Policies</A
></H3
><P
>Windows NT4 System policies allows setting of registry parameters specific to
@@ -13922,45 +14919,47 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN2733"
->17.1.3.1. Administration of Win2K Policies</A
+NAME="AEN2947"
+>16.1.3.1. Administration of Win2K / XP Policies</A
></H4
+><DIV
+CLASS="PROCEDURE"
+><P
+><B
+>Instructions</B
+></P
><P
>Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the
executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console
(MMC) snap-in as follows:</P
-><P
-></P
-><UL
+><OL
+TYPE="1"
><LI
><P
-> Go to the Windows 200x / XP menu <TT
+>Go to the Windows 200x / XP menu <TT
CLASS="FILENAME"
->Start->Programs->Adminsitrative Tools</TT
+>Start->Programs->Administrative Tools</TT
>
- and select the MMC snap-in called "Active Directory Users and Computers"
- </P
+ and select the MMC snap-in called "Active Directory Users and Computers"</P
><P
-> </P
+></P
></LI
><LI
><P
-> Select the domain or organizational unit (OU) that you wish to manage, then right click
- to open the context menu for that object, select the properties item.
- </P
+>Select the domain or organizational unit (OU) that you wish to manage, then right click
+to open the context menu for that object, select the properties item.</P
></LI
><LI
><P
-> Now left click on the Group Policy tab, then left click on the New tab. Type a name
- for the new policy you will create.
- </P
+>Now left click on the Group Policy tab, then left click on the New tab. Type a name
+for the new policy you will create.</P
></LI
><LI
><P
-> Now left click on the Edit tab to commence the steps needed to create the GPO.
- </P
+>Now left click on the Edit tab to commence the steps needed to create the GPO.</P
></LI
-></UL
+></OL
+></DIV
><P
>All policy configuration options are controlled through the use of policy administrative
templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
@@ -14000,6 +14999,107 @@ use this powerful tool. Please refer to the resource kit manuals for specific us
></DIV
></DIV
></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN2965"
+>16.2. Managing Account/User Policies</A
+></H2
+><P
+>Policies can define a specific user's settings or the settings for a group of users. The resulting
+policy file contains the registry settings for all users, groups, and computers that will be using
+the policy file. Separate policy files for each user, group, or computer are not not necessary.</P
+><P
+>If you create a policy that will be automatically downloaded from validating domain controllers,
+you should name the file NTconfig.POL. As system administrator, you have the option of renaming the
+policy file and, by modifying the Windows NT-based workstation, directing the computer to update
+the policy from a manual path. You can do this by either manually changing the registry or by using
+the System Policy Editor. This path can even be a local path such that each machine has its own policy file,
+but if a change is necessary to all machines, this change must be made individually to each workstation.</P
+><P
+>When a Windows NT4/200x/XP machine logs onto the network the NETLOGON share on the authenticating domain
+controller for the presence of the NTConfig.POL file. If one exists it is downloaded, parsed and then
+applied to the user's part of the registry.</P
+><P
+>MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
+acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
+itself. The key benefit of using AS GPOs is that they impose no registry <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>tatooing</I
+></SPAN
+> effect.
+This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates.</P
+><P
+>Inaddition to user access controls that may be imposed or applied via system and/or group policies
+in a manner that works in conjunction with user profiles, the user management environment under
+MS Windows NT4/200x/XP allows per domain as well as per user account restrictions to be applied.
+Common restrictions that are frequently used includes:</P
+><P
+><P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>Logon Hours</TD
+></TR
+><TR
+><TD
+>Password Aging</TD
+></TR
+><TR
+><TD
+>Permitted Logon from certain machines only</TD
+></TR
+><TR
+><TD
+>Account type (Local or Global)</TD
+></TR
+><TR
+><TD
+>User Rights</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN2980"
+>16.2.1. With Windows NT4/200x</A
+></H3
+><P
+>The tools that may be used to configure these types of controls from the MS Windows environment are:
+The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
+Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate
+"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN2983"
+>16.2.2. With a Samba PDC</A
+></H3
+><P
+>With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
+<TT
+CLASS="FILENAME"
+>smbpasswd, pdbedit, smbgroupedit, net, rpcclient.</TT
+>. The administrator should read the
+man pages for these tools and become familiar with their use.</P
+></DIV
+></DIV
></DIV
><DIV
CLASS="CHAPTER"
@@ -14007,14 +15107,14 @@ CLASS="CHAPTER"
><A
NAME="PROFILEMGMT"
></A
->Chapter 18. Profile Management</H1
+>Chapter 17. Desktop Profile Management</H1
><DIV
CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN2761"
->18.1. Roaming Profiles</A
+NAME="AEN2998"
+>17.1. Roaming Profiles</A
></H2
><DIV
CLASS="WARNING"
@@ -14043,45 +15143,63 @@ CLASS="emphasis"
CLASS="EMPHASIS"
>NOTE!</I
></SPAN
-> Roaming profiles support is different for Win9X and WinNT.</P
+> Roaming profiles support is different for Win9x / Me
+and Windows NT4/200x.</P
></TD
></TR
></TABLE
></DIV
><P
>Before discussing how to configure roaming profiles, it is useful to see how
-Win9X and WinNT clients implement these features.</P
+Windows 9x / Me and Windows NT4/200x clients implement these features.</P
><P
->Win9X clients send a NetUserGetInfo request to the server to get the user's
+>Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's
profiles location. However, the response does not have room for a separate
-profiles location field, only the user's home share. This means that Win9X
-profiles are restricted to being in the user's home directory.</P
+profiles location field, only the user's home share. This means that Win9X/Me
+profiles are restricted to being stored in the user's home directory.</P
><P
->WinNT clients send a NetSAMLogon RPC request, which contains many fields,
-including a separate field for the location of the user's profiles.
-This means that support for profiles is different for Win9X and WinNT.</P
+>Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields,
+including a separate field for the location of the user's profiles.</P
><DIV
CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2769"
->18.1.1. Windows NT Configuration</A
+NAME="AEN3006"
+>17.1.1. Samba Configuration for Profile Handling</A
></H3
><P
->To support WinNT clients, in the [global] section of smb.conf set the
+>This section documents how to configure Samba for MS Windows client profile support.</P
+><DIV
+CLASS="SECT3"
+><HR><H4
+CLASS="SECT3"
+><A
+NAME="AEN3009"
+>17.1.1.1. NT4/200x User Profiles</A
+></H4
+><P
+>To support Windowns NT4/200x clients, in the [global] section of smb.conf set the
following (for example):</P
><P
><PRE
CLASS="PROGRAMLISTING"
->logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</PRE
+> logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath
+
+ This is typically implemented like:
+
+ logon path = \\%L\Profiles\%u
+
+ where:
+ %L translates to the name of the Samba server
+ %u translates to the user name</PRE
></P
><P
->The default for this option is \\%N\%U\profile, namely
-\\sambaserver\username\profile. The \\N%\%U service is created
-automatically by the [homes] service.
-If you are using a samba server for the profiles, you _must_ make the
-share specified in the logon path browseable.</P
+>The default for this option is \\%N\%U\profile, namely \\sambaserver\username\profile.
+The \\N%\%U service is created automatically by the [homes] service. If you are using
+a samba server for the profiles, you _must_ make the share specified in the logon path
+browseable. Please refer to the man page for smb.conf in respect of the different
+symantics of %L and %N, as well as %U and %u.</P
><DIV
CLASS="NOTE"
><P
@@ -14118,79 +15236,52 @@ meta-service name as part of the profile share path.</P
></DIV
></DIV
><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
+CLASS="SECT3"
+><HR><H4
+CLASS="SECT3"
><A
-NAME="AEN2778"
->18.1.2. Windows 9X Configuration</A
-></H3
+NAME="AEN3018"
+>17.1.1.2. Windows 9x / Me User Profiles</A
+></H4
><P
->To support Win9X clients, you must use the "logon home" parameter. Samba has
+>To support Windows 9x / Me clients, you must use the "logon home" parameter. Samba has
now been fixed so that "net use /home" now works as well, and it, too, relies
on the "logon home" parameter.</P
><P
->By using the logon home parameter, you are restricted to putting Win9X
+>By using the logon home parameter, you are restricted to putting Win9x / Me
profiles in the user's home directory. But wait! There is a trick you
-can use. If you set the following in the [global] section of your
-smb.conf file:</P
+can use. If you set the following in the [global] section of your smb.conf file:</P
><P
><PRE
CLASS="PROGRAMLISTING"
->logon home = \\%L\%U\.profiles</PRE
+> logon home = \\%L\%U\.profiles</PRE
></P
><P
->then your Win9X clients will dutifully put their clients in a subdirectory
+>then your Windows 9x / Me clients will dutifully put their clients in a subdirectory
of your home directory called .profiles (thus making them hidden).</P
><P
>Not only that, but 'net use/home' will also work, because of a feature in
-Win9X. It removes any directory stuff off the end of the home directory area
+Windows 9x / Me. It removes any directory stuff off the end of the home directory area
and only uses the server and share portion. That is, it looks like you
specified \\%L\%U for "logon home".</P
></DIV
><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
+CLASS="SECT3"
+><HR><H4
+CLASS="SECT3"
><A
-NAME="AEN2786"
->18.1.3. Win9X and WinNT Configuration</A
-></H3
+NAME="AEN3026"
+>17.1.1.3. Mixed Windows 9x / Me and Windows NT4/200x User Profiles</A
+></H4
><P
>You can support profiles for both Win9X and WinNT clients by setting both the
"logon home" and "logon path" parameters. For example:</P
><P
><PRE
CLASS="PROGRAMLISTING"
->logon home = \\%L\%U\.profiles
-logon path = \\%L\profiles\%U</PRE
-></P
-><DIV
-CLASS="NOTE"
-><P
+> logon home = \\%L\%u\.profiles
+ logon path = \\%L\profiles\%u</PRE
></P
-><TABLE
-CLASS="NOTE"
-WIDTH="100%"
-BORDER="0"
-><TR
-><TD
-WIDTH="25"
-ALIGN="CENTER"
-VALIGN="TOP"
-><IMG
-SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
-HSPACE="5"
-ALT="Note"></TD
-><TD
-ALIGN="LEFT"
-VALIGN="TOP"
-><P
->I have not checked what 'net use /home' does on NT when "logon home" is
-set as above.</P
-></TD
-></TR
-></TABLE
></DIV
></DIV
><DIV
@@ -14198,9 +15289,17 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN2793"
->18.1.4. Windows 9X Profile Setup</A
+NAME="AEN3031"
+>17.1.2. Windows Client Profile Configuration Information</A
></H3
+><DIV
+CLASS="SECT3"
+><H4
+CLASS="SECT3"
+><A
+NAME="AEN3033"
+>17.1.2.1. Windows 9x / Me Profile Setup</A
+></H4
><P
>When a user first logs in on Windows 9X, the file user.DAT is created,
as are folders "Start Menu", "Desktop", "Programs" and "Nethood".
@@ -14220,7 +15319,7 @@ and deny them write access to this file.</P
TYPE="1"
><LI
><P
-> On the Windows 95 machine, go to Control Panel | Passwords and
+> On the Windows 9x / Me machine, go to Control Panel -> Passwords and
select the User Profiles tab. Select the required level of
roaming preferences. Press OK, but do _not_ allow the computer
to reboot.
@@ -14228,8 +15327,8 @@ TYPE="1"
></LI
><LI
><P
-> On the Windows 95 machine, go to Control Panel | Network |
- Client for Microsoft Networks | Preferences. Select 'Log on to
+> On the Windows 9x / Me machine, go to Control Panel -> Network ->
+ Client for Microsoft Networks -> Preferences. Select 'Log on to
NT Domain'. Then, ensure that the Primary Logon is 'Client for
Microsoft Networks'. Press OK, and this time allow the computer
to reboot.
@@ -14237,12 +15336,12 @@ TYPE="1"
></LI
></OL
><P
->Under Windows 95, Profiles are downloaded from the Primary Logon.
+>Under Windows 9x / Me Profiles are downloaded from the Primary Logon.
If you have the Primary Logon as 'Client for Novell Networks', then
the profiles and logon script will be downloaded from your Novell
Server. If you have the Primary Logon as 'Windows Logon', then the
profiles will be loaded from the local machine - a bit against the
-concept of roaming profiles, if you ask me.</P
+concept of roaming profiles, it would seem!</P
><P
>You will now find that the Microsoft Networks Login box contains
[user, password, domain] instead of just [user, password]. Type in
@@ -14251,26 +15350,26 @@ but bear in mind that the user will be authenticated against this
domain and profiles downloaded from it, if that domain logon server
supports it), user name and user's password.</P
><P
->Once the user has been successfully validated, the Windows 95 machine
+>Once the user has been successfully validated, the Windows 9x / Me machine
will inform you that 'The user has not logged on before' and asks you
if you wish to save the user's preferences? Select 'yes'.</P
><P
->Once the Windows 95 client comes up with the desktop, you should be able
+>Once the Windows 9x / Me client comes up with the desktop, you should be able
to examine the contents of the directory specified in the "logon path"
on the samba server and verify that the "Desktop", "Start Menu",
"Programs" and "Nethood" folders have been created.</P
><P
>These folders will be cached locally on the client, and updated when
-the user logs off (if you haven't made them read-only by then :-).
+the user logs off (if you haven't made them read-only by then).
You will find that if the user creates further folders or short-cuts,
that the client will merge the profile contents downloaded with the
contents of the profile directory already on the local client, taking
the newest folders and short-cuts from each set.</P
><P
>If you have made the folders / files read-only on the samba server,
-then you will get errors from the w95 machine on logon and logout, as
+then you will get errors from the Windows 9x / Me machine on logon and logout, as
it attempts to merge the local and the remote profile. Basically, if
-you have any errors reported by the w95 machine, check the Unix file
+you have any errors reported by the Windows 9x / Me machine, check the Unix file
permissions and ownership rights on the profile directory contents,
on the samba server.</P
><P
@@ -14298,9 +15397,9 @@ TYPE="1"
> you will find an entry, for each user, of ProfilePath. Note the
contents of this key (likely to be c:\windows\profiles\username),
then delete the key ProfilePath for the required user.
- </P
-><P
-> [Exit the registry editor].
+
+ [Exit the registry editor].
+
</P
></LI
><LI
@@ -14312,16 +15411,19 @@ CLASS="EMPHASIS"
>WARNING</I
></SPAN
> - before deleting the contents of the
- directory listed in
- the ProfilePath (this is likely to be c:\windows\profiles\username),
- ask them if they have any important files stored on their desktop
- or in their start menu. delete the contents of the directory
- ProfilePath (making a backup if any of the files are needed).
+ directory listed in the ProfilePath (this is likely to be
+ <TT
+CLASS="FILENAME"
+>c:\windows\profiles\username)</TT
+>, ask them if they
+ have any important files stored on their desktop or in their start menu.
+ Delete the contents of the directory ProfilePath (making a backup if any
+ of the files are needed).
</P
><P
-> This will have the effect of removing the local (read-only hidden
- system file) user.DAT in their profile directory, as well as the
- local "desktop", "nethood", "start menu" and "programs" folders.
+> This will have the effect of removing the local (read-only hidden
+ system file) user.DAT in their profile directory, as well as the
+ local "desktop", "nethood", "start menu" and "programs" folders.
</P
></LI
><LI
@@ -14332,7 +15434,7 @@ CLASS="EMPHASIS"
></LI
><LI
><P
-> log off the windows 95 client.
+> log off the windows 9x / Me client.
</P
></LI
><LI
@@ -14345,39 +15447,42 @@ CLASS="EMPHASIS"
></OL
><P
>If all else fails, increase samba's debug log levels to between 3 and 10,
-and / or run a packet trace program such as tcpdump or netmon.exe, and
-look for any error reports.</P
+and / or run a packet trace program such as ethereal or netmon.exe, and
+look for error messages.</P
><P
->If you have access to an NT server, then first set up roaming profiles
-and / or netlogons on the NT server. Make a packet trace, or examine
-the example packet traces provided with NT server, and see what the
+>If you have access to an Windows NT4/200x server, then first set up roaming profiles
+and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine
+the example packet traces provided with Windows NT4/200x server, and see what the
differences are with the equivalent samba trace.</P
></DIV
><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
+CLASS="SECT3"
+><HR><H4
+CLASS="SECT3"
><A
-NAME="AEN2829"
->18.1.5. Windows NT Workstation 4.0</A
-></H3
+NAME="AEN3069"
+>17.1.2.2. Windows NT4 Workstation</A
+></H4
><P
>When a user first logs in to a Windows NT Workstation, the profile
NTuser.DAT is created. The profile location can be now specified
through the "logon path" parameter.</P
><P
>There is a parameter that is now available for use with NT Profiles:
-"logon drive". This should be set to "h:" or any other drive, and
+"logon drive". This should be set to <TT
+CLASS="FILENAME"
+>H:</TT
+> or any other drive, and
should be used in conjunction with the new "logon home" parameter.</P
><P
->The entry for the NT 4.0 profile is a _directory_ not a file. The NT
+>The entry for the NT4 profile is a _directory_ not a file. The NT
help on profiles mentions that a directory is also created with a .PDS
extension. The user, while logging in, must have write permission to
create the full profile path (and the folder with the .PDS extension
for those situations where it might be created.)</P
><P
->In the profile directory, NT creates more folders than 95. It creates
-"Application Data" and others, as well as "Desktop", "Nethood",
+>In the profile directory, Windows NT4 creates more folders than Windows 9x / Me.
+It creates "Application Data" and others, as well as "Desktop", "Nethood",
"Start Menu" and "Programs". The profile itself is stored in a file
NTuser.DAT. Nothing appears to be stored in the .PDS directory, and
its purpose is currently unknown.</P
@@ -14392,80 +15497,55 @@ turns a profile into a mandatory one.</P
NTuser.DAT or, for a mandatory profile, NTuser.MAN.</P
></DIV
><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
+CLASS="SECT3"
+><HR><H4
+CLASS="SECT3"
><A
-NAME="AEN2837"
->18.1.6. Windows NT/200x Server</A
-></H3
+NAME="AEN3078"
+>17.1.2.3. Windows 2000/XP Professional</A
+></H4
><P
->There is nothing to stop you specifying any path that you like for the
-location of users' profiles. Therefore, you could specify that the
-profile be stored on a samba server, or any other SMB server, as long as
-that SMB server supports encrypted passwords.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2840"
->18.1.7. Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A
-></H3
+>You must first convert the profile from a local profile to a domain
+profile on the MS Windows workstation as follows:</P
><P
->Sharing of desktop profiles between Windows versions is NOT recommended.
-Desktop profiles are an evolving phenomenon and profiles for later versions
-of MS Windows clients add features that may interfere with earlier versions
-of MS Windows clients. Probably the more salient reason to NOT mix profiles
-is that when logging off an earlier version of MS Windows the older format
-of profile contents may overwrite information that belongs to the newer
-version resulting in loss of profile information content when that user logs
-on again with the newer version of MS Windows.</P
+></P
+><UL
+><LI
><P
->If you then want to share the same Start Menu / Desktop with W9x/Me, you will
-need to specify a common location for the profiles. The smb.conf parameters
-that need to be common are <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->logon path</I
-></SPAN
-> and
-<SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->logon home</I
-></SPAN
->.</P
+> Log on as the LOCAL workstation administrator.
+ </P
+></LI
+><LI
><P
->If you have this set up correctly, you will find separate user.DAT and
-NTuser.DAT files in the same profile directory.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2847"
->18.1.8. Windows NT 4</A
-></H3
+> Right click on the 'My Computer' Icon, select 'Properties'
+ </P
+></LI
+><LI
><P
->Unfortunately, the Resource Kit info is Win NT4 or 200x specific.</P
+> Click on the 'User Profiles' tab
+ </P
+></LI
+><LI
><P
->Here is a quick guide:</P
+> Select the profile you wish to convert (click on it once)
+ </P
+></LI
+><LI
><P
-></P
-><UL
+> Click on the button 'Copy To'
+ </P
+></LI
><LI
><P
->On your NT4 Domain Controller, right click on 'My Computer', then
-select the tab labelled 'User Profiles'.</P
+> In the "Permitted to use" box, click on the 'Change' button.
+ </P
></LI
><LI
><P
->Select a user profile you want to migrate and click on it.</P
+> Click on the 'Look in" area that lists the machine name, when you click
+ here it will open up a selection box. Click on the domain to which the
+ profile must be accessible.
+ </P
><DIV
CLASS="NOTE"
><P
@@ -14487,10 +15567,8 @@ ALT="Note"></TD
ALIGN="LEFT"
VALIGN="TOP"
><P
->I am using the term "migrate" lossely. You can copy a profile to
-create a group profile. You can give the user 'Everyone' rights to the
-profile you copy this to. That is what you need to do, since your samba
-domain is not a member of a trust relationship with your NT4 PDC.</P
+>You will need to log on if a logon box opens up. Eg: In the connect
+ as: MIDEARTH\root, password: mypassword.</P
></TD
></TR
></TABLE
@@ -14498,140 +15576,251 @@ domain is not a member of a trust relationship with your NT4 PDC.</P
></LI
><LI
><P
->Click the 'Copy To' button.</P
+> To make the profile capable of being used by anyone select 'Everyone'
+ </P
></LI
><LI
><P
->In the box labelled 'Copy Profile to' add your new path, eg:
+> Click OK. The Selection box will close.
+ </P
+></LI
+><LI
+><P
+> Now click on the 'Ok' button to create the profile in the path you
+ nominated.
+ </P
+></LI
+></UL
+><P
+>Done. You now have a profile that can be editted using the samba-3.0.0
<TT
CLASS="FILENAME"
->c:\temp\foobar</TT
+>profiles</TT
+> tool.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>Under NT/2K the use of mandotory profiles forces the use of MS Exchange
+storage of mail data. That keeps desktop profiles usable.</P
+></TD
+></TR
+></TABLE
+></DIV
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
></P
+><UL
+><LI
+><P
+>This is a security check new to Windows XP (or maybe only
+Windows XP service pack 1). It can be disabled via a group policy in
+Active Directory. The policy is:</P
+><P
+>"Computer Configuration\Administrative Templates\System\User
+Profiles\Do not check for user ownership of Roaming Profile Folders"</P
+><P
+>...and it should be set to "Enabled".
+Does the new version of samba have an Active Directory analogue? If so,
+then you may be able to set the policy through this.</P
+><P
+>If you cannot set group policies in samba, then you may be able to set
+the policy locally on each machine. If you want to try this, then do
+the following (N.B. I don't know for sure that this will work in the
+same way as a domain group policy):</P
></LI
><LI
><P
->Click on the button labelled 'Change' in the "Permitted to use" box.</P
+>On the XP workstation log in with an Administrator account.</P
></LI
><LI
><P
->Click on the group 'Everyone' and then click OK. This closes the
-'chose user' box.</P
+>Click: "Start", "Run"</P
></LI
><LI
><P
->Now click OK.</P
+>Type: "mmc"</P
></LI
-></UL
+><LI
><P
->Follow the above for every profile you need to migrate.</P
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN2870"
->18.1.8.1. Side bar Notes</A
-></H4
+>Click: "OK"</P
+></LI
+><LI
><P
->You should obtain the SID of your NT4 domain. You can use smbpasswd to do
-this. Read the man page.</P
+>A Microsoft Management Console should appear.</P
+></LI
+><LI
><P
->With Samba-3.0.0 alpha code you can import all you NT4 domain accounts
-using the net samsync method. This way you can retain your profile
-settings as well as all your users.</P
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN2874"
->18.1.8.2. Mandatory profiles</A
-></H4
+>Click: File, "Add/Remove Snap-in...", "Add"</P
+></LI
+><LI
><P
->The above method can be used to create mandatory profiles also. To convert
-a group profile into a mandatory profile simply locate the NTUser.DAT file
-in the copied profile and rename it to NTUser.MAN.</P
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN2877"
->18.1.8.3. moveuser.exe</A
-></H4
+>Double-Click: "Group Policy"</P
+></LI
+><LI
><P
->The W2K professional resource kit has moveuser.exe. moveuser.exe changes
-the security of a profile from one user to another. This allows the account
-domain to change, and/or the user name to change.</P
-></DIV
-><DIV
-CLASS="SECT3"
-><HR><H4
-CLASS="SECT3"
-><A
-NAME="AEN2880"
->18.1.8.4. Get SID</A
-></H4
+>Click: "Finish", "Close"</P
+></LI
+><LI
><P
->You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
-Resource Kit.</P
+>Click: "OK"</P
+></LI
+><LI
><P
->Windows NT 4.0 stores the local profile information in the registry under
-the following key:
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</P
+>In the "Console Root" window:</P
+></LI
+><LI
><P
->Under the ProfileList key, there will be subkeys named with the SIDs of the
-users who have logged on to this computer. (To find the profile information
-for the user whose locally cached profile you want to move, find the SID for
-the user with the GetSID.exe utility.) Inside of the appropriate user's
-subkey, you will see a string value named ProfileImagePath.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2885"
->18.1.9. Windows 2000/XP</A
-></H3
+>Expand: "Local Computer Policy", "Computer Configuration",</P
+></LI
+><LI
><P
->You must first convert the profile from a local profile to a domain
-profile on the MS Windows workstation as follows:</P
+>"Administrative Templates", "System", "User Profiles"</P
+></LI
+><LI
><P
-></P
-><UL
+>Double-Click: "Do not check for user ownership of Roaming Profile</P
+></LI
><LI
><P
->Log on as the LOCAL workstation administrator.</P
+>Folders"</P
></LI
><LI
><P
->Right click on the 'My Computer' Icon, select 'Properties'</P
+>Select: "Enabled"</P
></LI
><LI
><P
->Click on the 'User Profiles' tab</P
+>Click: OK"</P
></LI
><LI
><P
->Select the profile you wish to convert (click on it once)</P
+>Close the whole console. You do not need to save the settings (this
+ refers to the console settings rather than the policies you have
+ changed).</P
></LI
><LI
><P
->Click on the button 'Copy To'</P
+>Reboot</P
></LI
+></UL
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3151"
+>17.1.3. Sharing Profiles between W9x/Me and NT4/200x/XP workstations</A
+></H3
+><P
+>Sharing of desktop profiles between Windows versions is NOT recommended.
+Desktop profiles are an evolving phenomenon and profiles for later versions
+of MS Windows clients add features that may interfere with earlier versions
+of MS Windows clients. Probably the more salient reason to NOT mix profiles
+is that when logging off an earlier version of MS Windows the older format
+of profile contents may overwrite information that belongs to the newer
+version resulting in loss of profile information content when that user logs
+on again with the newer version of MS Windows.</P
+><P
+>If you then want to share the same Start Menu / Desktop with W9x/Me, you will
+need to specify a common location for the profiles. The smb.conf parameters
+that need to be common are <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>logon path</I
+></SPAN
+> and
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>logon home</I
+></SPAN
+>.</P
+><P
+>If you have this set up correctly, you will find separate user.DAT and
+NTuser.DAT files in the same profile directory.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3158"
+>17.1.4. Profile Migration from Windows NT4/200x Server to Samba</A
+></H3
+><P
+>There is nothing to stop you specifying any path that you like for the
+location of users' profiles. Therefore, you could specify that the
+profile be stored on a samba server, or any other SMB server, as long as
+that SMB server supports encrypted passwords.</P
+><DIV
+CLASS="SECT3"
+><HR><H4
+CLASS="SECT3"
+><A
+NAME="AEN3161"
+>17.1.4.1. Windows NT4 Profile Management Tools</A
+></H4
+><P
+>Unfortunately, the Resource Kit information is specific to the version of MS Windows
+NT4/200x. The correct resource kit is required for each platform.</P
+><P
+>Here is a quick guide:</P
+><P
+></P
+><UL
><LI
><P
->In the "Permitted to use" box, click on the 'Change' button.</P
+>On your NT4 Domain Controller, right click on 'My Computer', then
+select the tab labelled 'User Profiles'.</P
></LI
><LI
><P
->Click on the 'Look in" area that lists the machine name, when you click
-here it will open up a selection box. Click on the domain to which the
-profile must be accessible.</P
+>Select a user profile you want to migrate and click on it.</P
><DIV
CLASS="NOTE"
><P
@@ -14653,8 +15842,10 @@ ALT="Note"></TD
ALIGN="LEFT"
VALIGN="TOP"
><P
->You will need to log on if a logon box opens up. Eg: In the connect
-as: MIDEARTH\root, password: mypassword.</P
+>I am using the term "migrate" lossely. You can copy a profile to
+create a group profile. You can give the user 'Everyone' rights to the
+profile you copy this to. That is what you need to do, since your samba
+domain is not a member of a trust relationship with your NT4 PDC.</P
></TD
></TR
></TABLE
@@ -14662,21 +15853,100 @@ as: MIDEARTH\root, password: mypassword.</P
></LI
><LI
><P
->To make the profile capable of being used by anyone select 'Everyone'</P
+>Click the 'Copy To' button.</P
+></LI
+><LI
+><P
+>In the box labelled 'Copy Profile to' add your new path, eg:
+ <TT
+CLASS="FILENAME"
+>c:\temp\foobar</TT
+></P
+></LI
+><LI
+><P
+>Click on the button labelled 'Change' in the "Permitted to use" box.</P
></LI
><LI
><P
->Click OK. The Selection box will close.</P
+>Click on the group 'Everyone' and then click OK. This closes the
+ 'chose user' box.</P
></LI
><LI
><P
->Now click on the 'Ok' button to create the profile in the path you
-nominated.</P
+>Now click OK.</P
></LI
></UL
><P
->Done. You now have a profile that can be editted using the samba-3.0.0
-profiles tool.</P
+>Follow the above for every profile you need to migrate.</P
+></DIV
+><DIV
+CLASS="SECT3"
+><HR><H4
+CLASS="SECT3"
+><A
+NAME="AEN3184"
+>17.1.4.2. Side bar Notes</A
+></H4
+><P
+>You should obtain the SID of your NT4 domain. You can use smbpasswd to do
+this. Read the man page.</P
+><P
+>With Samba-3.0.0 alpha code you can import all you NT4 domain accounts
+using the net samsync method. This way you can retain your profile
+settings as well as all your users.</P
+></DIV
+><DIV
+CLASS="SECT3"
+><HR><H4
+CLASS="SECT3"
+><A
+NAME="AEN3188"
+>17.1.4.3. moveuser.exe</A
+></H4
+><P
+>The W2K professional resource kit has moveuser.exe. moveuser.exe changes
+the security of a profile from one user to another. This allows the account
+domain to change, and/or the user name to change.</P
+></DIV
+><DIV
+CLASS="SECT3"
+><HR><H4
+CLASS="SECT3"
+><A
+NAME="AEN3191"
+>17.1.4.4. Get SID</A
+></H4
+><P
+>You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
+Resource Kit.</P
+><P
+>Windows NT 4.0 stores the local profile information in the registry under
+the following key:
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</P
+><P
+>Under the ProfileList key, there will be subkeys named with the SIDs of the
+users who have logged on to this computer. (To find the profile information
+for the user whose locally cached profile you want to move, find the SID for
+the user with the GetSID.exe utility.) Inside of the appropriate user's
+subkey, you will see a string value named ProfileImagePath.</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN3196"
+>17.2. Mandatory profiles</A
+></H2
+><P
+>A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
+During the user's session it may be possible to change the desktop environment, but
+as the user logs out all changes made will be lost. If it is desired to NOT allow the
+user any ability to change the desktop environment then this must be done through
+policy settings. See previous chapter.</P
><DIV
CLASS="NOTE"
><P
@@ -14698,12 +15968,40 @@ ALT="Note"></TD
ALIGN="LEFT"
VALIGN="TOP"
><P
->Under NT/2K the use of mandotory profiles forces the use of MS Exchange
-storage of mail data. That keeps desktop profiles usable.</P
+>Under NO circumstances should the profile directory (or it's contents) be made read-only
+as this may render the profile un-usable.</P
></TD
></TR
></TABLE
></DIV
+><P
+>For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles
+also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT
+file in the copied profile and rename it to NTUser.MAN.</P
+><P
+>For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to
+affect a mandatory profile.</P
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN3203"
+>17.3. Creating/Managing Group Profiles</A
+></H2
+><P
+>Most organisations are arranged into departments. There is a nice benenfit in
+this fact since usually most users in a department will require the same desktop
+applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
+use of Group Profiles. A Group Profile is a profile that is created firstly using
+a template (example) user. Then using the profile migration tool (see above) the
+profile is assigned access rights for the user group that needs to be given access
+to the group profile.</P
+><P
+>The next step is rather important. PLEASE NOTE: Instead of assigning a group profile
+to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned
+the now modified profile.</P
><DIV
CLASS="NOTE"
><P
@@ -14725,120 +16023,324 @@ ALT="Note"></TD
ALIGN="LEFT"
VALIGN="TOP"
><P
-></P
-><UL
-><LI
+> Be careful with group profiles, if the user who is a member of a group also
+ has a personal profile, then the result will be a fusion (merge) of the two.
+ </P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN3209"
+>17.4. Default Profile for Windows Users</A
+></H2
><P
->This is a security check new to Windows XP (or maybe only
-Windows XP service pack 1). It can be disabled via a group policy in
-Active Directory. The policy is:</P
+>MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom
+a profile does not already exist. Armed with a knowledge of where the default profile
+is located on the Windows workstation, and knowing which registry keys affect the path
+from which the default profile is created, it is possible to modify the default profile
+to one that has been optimised for the site. This has significant administrative
+advantages.</P
><P
->"Computer Configuration\Administrative Templates\System\User
-Profiles\Do not check for user ownership of Roaming Profile Folders"</P
+></P
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3213"
+>17.4.1. MS Windows 9x/Me</A
+></H3
><P
->...and it should be set to "Enabled".
-Does the new version of samba have an Active Directory analogue? If so,
-then you may be able to set the policy through this.</P
+>To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System
+Policy Editor or change the registry directly.</P
><P
->If you cannot set group policies in samba, then you may be able to set
-the policy locally on each machine. If you want to try this, then do
-the following (N.B. I don't know for sure that this will work in the
-same way as a domain group policy):</P
-></LI
-><LI
+>To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then
+select File -> Open Registry, then click on the Local Computer icon, click on Windows 98 System,
+select User Profiles, click on the enable box. Do not forget to save the registry changes.</P
><P
->On the XP workstation log in with an Administrator account.</P
-></LI
-><LI
+>To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive
+<TT
+CLASS="FILENAME"
+>HKEY_LOCAL_MACHINE\Network\Logon</TT
+>. Now add a DWORD type key with the name
+"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0.</P
+><DIV
+CLASS="SECT3"
+><HR><H4
+CLASS="SECT3"
+><A
+NAME="AEN3219"
+>17.4.1.1. How User Profiles Are Handled in Windows 9x / Me?</A
+></H4
><P
->Click: "Start", "Run"</P
-></LI
-><LI
+>When a user logs on to a Windows 9x / Me machine, the local profile path,
+<TT
+CLASS="FILENAME"
+>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</TT
+>, is checked
+for an existing entry for that user:</P
><P
->Type: "mmc"</P
-></LI
-><LI
+>If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached
+version of the user profile. Windows 9x / Me also checks the user's home directory (or other
+specified directory if the location has been modified) on the server for the User Profile.
+If a profile exists in both locations, the newer of the two is used. If the User Profile exists
+on the server, but does not exist on the local machine, the profile on the server is downloaded
+and used. If the User Profile only exists on the local machine, that copy is used.</P
><P
->Click: "OK"</P
-></LI
-><LI
+>If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me
+machine is used and is copied to a newly created folder for the logged on user. At log off, any
+changes that the user made are written to the user's local profile. If the user has a roaming
+profile, the changes are written to the user's profile on the server.</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3225"
+>17.4.2. MS Windows NT4 Workstation</A
+></H3
><P
->A Microsoft Management Console should appear.</P
-></LI
-><LI
+>On MS Windows NT4 the default user profile is obtained from the location
+<TT
+CLASS="FILENAME"
+>%SystemRoot%\Profiles</TT
+> which in a default installation will translate to
+<TT
+CLASS="FILENAME"
+>C:\WinNT\Profiles</TT
+>. Under this directory on a clean install there will be
+three (3) directories: <TT
+CLASS="FILENAME"
+>Administrator, All Users, Default User</TT
+>.</P
><P
->Click: File, "Add/Remove Snap-in...", "Add"</P
-></LI
-><LI
+>The <TT
+CLASS="FILENAME"
+>All Users</TT
+> directory contains menu settings that are common across all
+system users. The <TT
+CLASS="FILENAME"
+>Default User</TT
+> directory contains menu entries that are
+customisable per user depending on the profile settings chosen/created.</P
><P
->Double-Click: "Group Policy"</P
-></LI
-><LI
+>When a new user first logs onto an MS Windows NT4 machine a new profile is created from:</P
><P
->Click: "Finish", "Close"</P
-></LI
-><LI
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>All Users settings</TD
+></TR
+><TR
+><TD
+>Default User settings (contains the default NTUser.DAT file)</TD
+></TR
+></TBODY
+></TABLE
><P
->Click: "OK"</P
-></LI
-><LI
+></P
><P
->In the "Console Root" window:</P
-></LI
-><LI
+>When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain
+the following steps are followed in respect of profile handling:</P
><P
->Expand: "Local Computer Policy", "Computer Configuration",</P
-></LI
+></P
+><OL
+TYPE="1"
><LI
><P
->"Administrative Templates", "System", "User Profiles"</P
+> The users' account information which is obtained during the logon process contains
+ the location of the users' desktop profile. The profile path may be local to the
+ machine or it may be located on a network share. If there exists a profile at the location
+ of the path from the user account, then this profile is copied to the location
+ <TT
+CLASS="FILENAME"
+>%SystemRoot%\Profiles\%USERNAME%</TT
+>. This profile then inherits the
+ settings in the <TT
+CLASS="FILENAME"
+>All Users</TT
+> profile in the <TT
+CLASS="FILENAME"
+>%SystemRoot%\Profiles</TT
+>
+ location.
+ </P
></LI
><LI
><P
->Double-Click: "Do not check for user ownership of Roaming Profile</P
+> If the user account has a profile path, but at it's location a profile does not exist,
+ then a new profile is created in the <TT
+CLASS="FILENAME"
+>%SystemRoot%\Profiles\%USERNAME%</TT
+>
+ directory from reading the <TT
+CLASS="FILENAME"
+>Default User</TT
+> profile.
+ </P
></LI
><LI
><P
->Folders"</P
+> If the NETLOGON share on the authenticating server (logon server) contains a policy file
+ (<TT
+CLASS="FILENAME"
+>NTConfig.POL</TT
+>) then it's contents are applied to the <TT
+CLASS="FILENAME"
+>NTUser.DAT</TT
+>
+ which is applied to the <TT
+CLASS="FILENAME"
+>HKEY_CURRENT_USER</TT
+> part of the registry.
+ </P
></LI
><LI
><P
->Select: "Enabled"</P
+> When the user logs out, if the profile is set to be a roaming profile it will be written
+ out to the location of the profile. The <TT
+CLASS="FILENAME"
+>NTuser.DAT</TT
+> file is then
+ re-created from the contents of the <TT
+CLASS="FILENAME"
+>HKEY_CURRENT_USER</TT
+> contents.
+ Thus, should there not exist in the NETLOGON share an <TT
+CLASS="FILENAME"
+>NTConfig.POL</TT
+> at the
+ next logon, the effect of the provious <TT
+CLASS="FILENAME"
+>NTConfig.POL</TT
+> will still be held
+ in the profile. The effect of this is known as <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>tatooing</I
+></SPAN
+>.
+ </P
></LI
-><LI
+></OL
><P
->Click: OK"</P
-></LI
-><LI
+>MS Windows NT4 profiles may be <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Local</I
+></SPAN
+> or <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Roaming</I
+></SPAN
+>. A Local profile
+will stored in the <TT
+CLASS="FILENAME"
+>%SystemRoot%\Profiles\%USERNAME%</TT
+> location. A roaming profile will
+also remain stored in the same way, unless the following registry key is created:</P
><P
->Close the whole console. You do not need to save the settings (this
-refers to the console settings rather than the policies you have
-changed).</P
-></LI
-><LI
+><PRE
+CLASS="PROGRAMLISTING"
+> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
+ "DeleteRoamingCache"=dword:00000001</PRE
+>
+
+In which case, the local copy (in <TT
+CLASS="FILENAME"
+>%SystemRoot%\Profiles\%USERNAME%</TT
+>) will be
+deleted on logout.</P
><P
->Reboot</P
-></LI
-></UL
-></TD
-></TR
-></TABLE
-></DIV
-></DIV
-></DIV
+>Under MS Windows NT4 default locations for common resources (like <TT
+CLASS="FILENAME"
+>My Documents</TT
+>
+may be redirected to a network share by modifying the following registry keys. These changes may be affected
+via use of the System Policy Editor (to do so may require that you create your owns template extension
+for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first
+creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings.</P
+><P
+>The Registry Hive key that affects the behaviour of folders that are part of the default user profile
+are controlled by entries on Windows NT4 is:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> HKEY_CURRENT_USER
+ \Software
+ \Microsoft
+ \Windows
+ \CurrentVersion
+ \Explorer
+ \User Shell Folders\</PRE
+></P
+><P
+>The above hive key contains a list of automatically managed folders. The default entries are:</P
+><P
+> <PRE
+CLASS="PROGRAMLISTING"
+> Name Default Value
+ -------------- -----------------------------------------
+ AppData %USERPROFILE%\Application Data
+ Desktop %USERPROFILE%\Desktop
+ Favorites %USERPROFILE%\Favorites
+ NetHood %USERPROFILE%\NetHood
+ PrintHood %USERPROFILE%\PrintHood
+ Programs %USERPROFILE%\Start Menu\Programs
+ Recent %USERPROFILE%\Recent
+ SendTo %USERPROFILE%\SendTo
+ Start Menu %USERPROFILE%\Start Menu
+ Startup %USERPROFILE%\Start Menu\Programs\Startup
+ </PRE
+>
+ </P
+><P
+>The registry key that contains the location of the default profile settings is:
+
+<PRE
+CLASS="PROGRAMLISTING"
+> HKEY_LOCAL_MACHINE
+ \SOFTWARE
+ \Microsoft
+ \Windows
+ \CurrentVersion
+ \Explorer
+ \User Shell Folders</PRE
+>
+
+The default entries are:
+
+<PRE
+CLASS="PROGRAMLISTING"
+> Common Desktop %SystemRoot%\Profiles\All Users\Desktop
+ Common Programs %SystemRoot%\Profiles\All Users\Programs
+ Common Start Menu %SystemRoot%\Profiles\All Users\Start Menu
+ Common Startu p %SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup</PRE
+></P
></DIV
><DIV
-CLASS="CHAPTER"
-><HR><H1
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
><A
-NAME="INTEGRATE-MS-NETWORKS"
-></A
->Chapter 19. Integrating MS Windows networks with Samba</H1
-><P
->This section deals with NetBIOS over TCP/IP name to IP address resolution. If you
-your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this
-section does not apply to your installation. If your installation involves use of
-NetBIOS over TCP/IP then this section may help you to resolve networking problems.</P
+NAME="AEN3279"
+>17.4.3. MS Windows 200x/XP</A
+></H3
><DIV
CLASS="NOTE"
><P
@@ -14860,21 +16362,38 @@ ALT="Note"></TD
ALIGN="LEFT"
VALIGN="TOP"
><P
-> NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS
- over Logical Link Control (LLC). On modern networks it is highly advised
- to NOT run NetBEUI at all. Note also that there is NO such thing as
- NetBEUI over TCP/IP - the existence of such a protocol is a complete
- and utter mis-apprehension.</P
+> MS Windows XP Home Edition does use default per user profiles, but can not participate
+ in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
+ only from itself. While there are benefits in doing this the beauty of those MS Windows
+ clients that CAN participate in domain logon processes allows the administrator to create
+ a global default profile and to enforce it through the use of Group Policy Objects (GPOs).
+ </P
></TD
></TR
></TABLE
></DIV
><P
->Since the introduction of MS Windows 2000 it is possible to run MS Windows networking
-without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS
-name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over
-TCP/IP is disabled on MS Windows 2000 and later clients then only TCP port 445 will be
-used and UDP port 137 and TCP port 139 will not.</P
+>When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
+<TT
+CLASS="FILENAME"
+>C:\Documents and Settings\Default User</TT
+>. The administrator can modify (or change
+the contents of this location and MS Windows 200x/XP will gladly user it. This is far from the optimum
+arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
+workstation. </P
+><P
+>When MS Windows 200x/XP participate in a domain security context, and if the default user
+profile is not found, then the client will search for a default profile in the NETLOGON share
+of the authenticating server. ie: In MS Windows parlance:
+<TT
+CLASS="FILENAME"
+>%LOGONSERVER%\NETLOGON\Default User</TT
+> and if one exits there it will copy this
+to the workstation to the <TT
+CLASS="FILENAME"
+>C:\Documents and Settings\</TT
+> under the Windows
+login name of the user.</P
><DIV
CLASS="NOTE"
><P
@@ -14896,1755 +16415,2487 @@ ALT="Note"></TD
ALIGN="LEFT"
VALIGN="TOP"
><P
->When using Windows 2000 or later clients, if NetBIOS over TCP/IP is NOT disabled, then
-the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet
-Name Service or WINS), TCP port 139 AND TCP port 445 (for actual file and print traffic).</P
+> This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory
+ should be created at the root of this share and msut be called <TT
+CLASS="FILENAME"
+>Default Profile</TT
+>.
+ </P
></TD
></TR
></TABLE
></DIV
><P
->When NetBIOS over TCP/IP is disabled the use of DNS is essential. Most installations that
-disable NetBIOS over TCP/IP today use MS Active Directory Service (ADS). ADS requires
-Dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR).
-Use of DHCP with ADS is recommended as a further means of maintaining central control
-over client workstation network configuration.</P
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN2975"
->19.1. Name Resolution in a pure Unix/Linux world</A
-></H2
+>If a default profile does not exist in this location then MS Windows 200x/XP will use the local
+default profile.</P
><P
->The key configuration files covered in this section are:</P
+>On loging out, the users' desktop profile will be stored to the location specified in the registry
+settings that pertain to the user. If no specific policies have been created, or passed to the client
+during the login process (as Samba does automatically), then the user's profile will be written to
+the local machine only under the path <TT
+CLASS="FILENAME"
+>C:\Documents and Settings\%USERNAME%</TT
+>.</P
+><P
+>Those wishing to modify the default behaviour can do so through up to three methods:</P
><P
></P
><UL
><LI
><P
-><TT
-CLASS="FILENAME"
->/etc/hosts</TT
-></P
+> Modify the registry keys on the local machine manually and place the new default profile in the
+ NETLOGON share root - NOT recommended as it is maintenance intensive.
+ </P
></LI
><LI
><P
-><TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
-></P
+> Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file
+ in the root of the NETLOGON share along with the new default profile.
+ </P
></LI
><LI
><P
-><TT
-CLASS="FILENAME"
->/etc/host.conf</TT
-></P
+> Create a GPO that enforces this through Active Directory, and place the new default profile
+ in the NETLOGON share.
+ </P
></LI
-><LI
+></UL
><P
-><TT
-CLASS="FILENAME"
->/etc/nsswitch.conf</TT
+>The Registry Hive key that affects the behaviour of folders that are part of the default user profile
+are controlled by entries on Windows 200x/XP is:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> HKEY_CURRENT_USER
+ \Software
+ \Microsoft
+ \Windows
+ \CurrentVersion
+ \Explorer
+ \User Shell Folders\</PRE
></P
-></LI
-></UL
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN2991"
->19.1.1. <TT
-CLASS="FILENAME"
->/etc/hosts</TT
-></A
-></H3
><P
->Contains a static list of IP Addresses and names.
-eg:</P
+>The above hive key contains a list of automatically managed folders. The default entries are:</P
><P
-><PRE
+> <PRE
CLASS="PROGRAMLISTING"
-> 127.0.0.1 localhost localhost.localdomain
- 192.168.1.1 bigbox.caldera.com bigbox alias4box</PRE
-></P
-><P
->The purpose of <TT
-CLASS="FILENAME"
->/etc/hosts</TT
-> is to provide a
-name resolution mechanism so that uses do not need to remember
-IP addresses.</P
+> Name Default Value
+ -------------- -----------------------------------------
+ AppData %USERPROFILE%\Application Data
+ Cache %USERPROFILE%\Local Settings\Temporary Internet Files
+ Cookies %USERPROFILE%\Cookies
+ Desktop %USERPROFILE%\Desktop
+ Favorites %USERPROFILE%\Favorites
+ History %USERPROFILE%\Local Settings\History
+ Local AppData %USERPROFILE%\Local Settings\Application Data
+ Local Settings %USERPROFILE%\Local Settings
+ My Pictures %USERPROFILE%\My Documents\My Pictures
+ NetHood %USERPROFILE%\NetHood
+ Personal %USERPROFILE%\My Documents
+ PrintHood %USERPROFILE%\PrintHood
+ Programs %USERPROFILE%\Start Menu\Programs
+ Recent %USERPROFILE%\Recent
+ SendTo %USERPROFILE%\SendTo
+ Start Menu %USERPROFILE%\Start Menu
+ Startup %USERPROFILE%\Start Menu\Programs\Startup
+ Templates %USERPROFILE%\Templates
+ </PRE
+>
+ </P
><P
->Network packets that are sent over the physical network transport
-layer communicate not via IP addresses but rather using the Media
-Access Control address, or MAC address. IP Addresses are currently
-32 bits in length and are typically presented as four (4) decimal
-numbers that are separated by a dot (or period). eg: 168.192.1.1</P
+>There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all
+the others are of type REG_EXPAND_SZ.</P
><P
->MAC Addresses use 48 bits (or 6 bytes) and are typically represented
-as two digit hexadecimal numbers separated by colons. eg:
-40:8e:0a:12:34:56</P
+>It makes a huge difference to the speed of handling roaming user profiles if all the folders are
+stored on a dedicated location on a network server. This means that it will NOT be necessary to
+write Outlook PST file over the network for every login and logout.</P
><P
->Every network interfrace must have an MAC address. Associated with
-a MAC address there may be one or more IP addresses. There is NO
-relationship between an IP address and a MAC address, all such assignments
-are arbitary or discretionary in nature. At the most basic level all
-network communications takes place using MAC addressing. Since MAC
-addresses must be globally unique, and generally remains fixed for
-any particular interface, the assignment of an IP address makes sense
-from a network management perspective. More than one IP address can
-be assigned per MAC address. One address must be the primary IP address,
-this is the address that will be returned in the ARP reply.</P
+>To set this to a network location you could use the following examples:
+
+<PRE
+CLASS="PROGRAMLISTING"
+> %LOGONSERVER%\%USERNAME%\Default Folders</PRE
+>
+
+This would store the folders in the user's home directory under a directory called "Default Folders"
+
+You could also use:
+
+<PRE
+CLASS="PROGRAMLISTING"
+> \\SambaServer\FolderShare\%USERNAME%</PRE
+>
+
+in which case the default folders will be stored in the server named <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>SambaServer</I
+></SPAN
+>
+in the share called <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>FolderShare</I
+></SPAN
+> under a directory that has the name of the MS Windows
+user as seen by the Linux/Unix file system.</P
><P
->When a user or a process wants to communicate with another machine
-the protocol implementation ensures that the "machine name" or "host
-name" is resolved to an IP address in a manner that is controlled
-by the TCP/IP configuration control files. The file
-<TT
-CLASS="FILENAME"
->/etc/hosts</TT
-> is one such file.</P
+>Please note that once you have created a default profile share, you MUST migrate a user's profile
+(default or custom) to it.</P
><P
->When the IP address of the destination interface has been
-determined a protocol called ARP/RARP is used to identify
-the MAC address of the target interface. ARP stands for Address
-Resolution Protocol, and is a broadcast oriented method that
-uses UDP (User Datagram Protocol) to send a request to all
-interfaces on the local network segment using the all 1's MAC
-address. Network interfaces are programmed to respond to two
-MAC addresses only; their own unique address and the address
-ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will
-contain the MAC address and the primary IP address for each
-interface.</P
+>MS Windows 200x/XP profiles may be <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Local</I
+></SPAN
+> or <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Roaming</I
+></SPAN
+>.
+A roaming profile will be cached locally unless the following registry key is created:</P
><P
->The <TT
-CLASS="FILENAME"
->/etc/hosts</TT
-> file is foundational to all
-Unix/Linux TCP/IP installations and as a minumum will contain
-the localhost and local network interface IP addresses and the
-primary names by which they are known within the local machine.
-This file helps to prime the pump so that a basic level of name
-resolution can exist before any other method of name resolution
-becomes available.</P
+><PRE
+CLASS="PROGRAMLISTING"
+> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
+ "DeleteRoamingCache"=dword:00000001</PRE
+>
+
+In which case, the local cache copy will be deleted on logout.</P
+></DIV
+></DIV
></DIV
><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
+CLASS="CHAPTER"
+><HR><H1
><A
-NAME="AEN3007"
->19.1.2. <TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
+NAME="PAM"
></A
-></H3
-><P
->This file tells the name resolution libraries:</P
-><P
-></P
-><UL
-><LI
-><P
->The name of the domain to which the machine
- belongs
- </P
-></LI
-><LI
-><P
->The name(s) of any domains that should be
- automatically searched when trying to resolve unqualified
- host names to their IP address
- </P
-></LI
-><LI
-><P
->The name or IP address of available Domain
- Name Servers that may be asked to perform name to address
- translation lookups
- </P
-></LI
-></UL
-></DIV
+>Chapter 18. PAM Configuration for Centrally Managed Authentication</H1
><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
+CLASS="SECT1"
+><H2
+CLASS="SECT1"
><A
-NAME="AEN3018"
->19.1.3. <TT
+NAME="AEN3332"
+>18.1. Samba and PAM</A
+></H2
+><P
+>A number of Unix systems (eg: Sun Solaris), as well as the
+xxxxBSD family and Linux, now utilize the Pluggable Authentication
+Modules (PAM) facility to provide all authentication,
+authorization and resource control services. Prior to the
+introduction of PAM, a decision to use an alternative to
+the system password database (<TT
CLASS="FILENAME"
->/etc/host.conf</TT
-></A
-></H3
+>/etc/passwd</TT
+>)
+would require the provision of alternatives for all programs that provide
+security services. Such a choice would involve provision of
+alternatives to such programs as: <B
+CLASS="COMMAND"
+>login</B
+>,
+<B
+CLASS="COMMAND"
+>passwd</B
+>, <B
+CLASS="COMMAND"
+>chown</B
+>, etc.</P
><P
-><TT
+>PAM provides a mechanism that disconnects these security programs
+from the underlying authentication/authorization infrastructure.
+PAM is configured either through one file <TT
CLASS="FILENAME"
->/etc/host.conf</TT
-> is the primary means by
-which the setting in /etc/resolv.conf may be affected. It is a
-critical configuration file. This file controls the order by
-which name resolution may procede. The typical structure is:</P
+>/etc/pam.conf</TT
+> (Solaris),
+or by editing individual files that are located in <TT
+CLASS="FILENAME"
+>/etc/pam.d</TT
+>.</P
+><DIV
+CLASS="NOTE"
><P
-><PRE
-CLASS="PROGRAMLISTING"
-> order hosts,bind
- multi on</PRE
></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
->then both addresses should be returned. Please refer to the
-man page for host.conf for further details.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN3026"
->19.1.4. <TT
+> If the PAM authentication module (loadable link library file) is located in the
+ default location then it is not necessary to specify the path. In the case of
+ Linux, the default location is <TT
CLASS="FILENAME"
->/etc/nsswitch.conf</TT
-></A
-></H3
+>/lib/security</TT
+>. If the module
+ is located other than default then the path may be specified as:
+
+ <PRE
+CLASS="PROGRAMLISTING"
+> auth required /other_path/pam_strange_module.so
+ </PRE
+>
+ </P
+></TD
+></TR
+></TABLE
+></DIV
><P
->This file controls the actual name resolution targets. The
-file typically has resolver object specifications as follows:</P
+>The following is an example <TT
+CLASS="FILENAME"
+>/etc/pam.d/login</TT
+> configuration file.
+This example had all options been uncommented is probably not usable
+as it stacks many conditions before allowing successful completion
+of the login process. Essentially all conditions can be disabled
+by commenting them out except the calls to <TT
+CLASS="FILENAME"
+>pam_pwdb.so</TT
+>.</P
><P
><PRE
CLASS="PROGRAMLISTING"
-> # /etc/nsswitch.conf
- #
- # Name Service Switch configuration file.
+> #%PAM-1.0
+ # The PAM configuration file for the `login' service
#
-
- passwd: compat
- # Alternative entries for password authentication are:
- # passwd: compat files nis ldap winbind
- shadow: compat
- group: compat
-
- hosts: files nis dns
- # Alternative entries for host name resolution are:
- # hosts: files dns nis nis+ hesoid db compat ldap wins
- networks: nis files dns
-
- ethers: nis files
- protocols: nis files
- rpc: nis files
- services: nis files</PRE
+ auth required pam_securetty.so
+ auth required pam_nologin.so
+ # auth required pam_dialup.so
+ # auth optional pam_mail.so
+ auth required pam_pwdb.so shadow md5
+ # account requisite pam_time.so
+ account required pam_pwdb.so
+ session required pam_pwdb.so
+ # session optional pam_lastlog.so
+ # password required pam_cracklib.so retry=3
+ password required pam_pwdb.so shadow md5</PRE
></P
><P
->Of course, each of these mechanisms requires that the appropriate
-facilities and/or services are correctly configured.</P
+>PAM allows use of replacable modules. Those available on a
+sample system include:</P
><P
->It should be noted that unless a network request/message must be
-sent, TCP/IP networks are silent. All TCP/IP communications assumes a
-principal of speaking only when necessary.</P
+><SAMP
+CLASS="PROMPT"
+>$</SAMP
+><KBD
+CLASS="USERINPUT"
+>/bin/ls /lib/security</KBD
+>
+<PRE
+CLASS="PROGRAMLISTING"
+> pam_access.so pam_ftp.so pam_limits.so
+ pam_ncp_auth.so pam_rhosts_auth.so pam_stress.so
+ pam_cracklib.so pam_group.so pam_listfile.so
+ pam_nologin.so pam_rootok.so pam_tally.so
+ pam_deny.so pam_issue.so pam_mail.so
+ pam_permit.so pam_securetty.so pam_time.so
+ pam_dialup.so pam_lastlog.so pam_mkhomedir.so
+ pam_pwdb.so pam_shells.so pam_unix.so
+ pam_env.so pam_ldap.so pam_motd.so
+ pam_radius.so pam_smbpass.so pam_unix_acct.so
+ pam_wheel.so pam_unix_auth.so pam_unix_passwd.so
+ pam_userdb.so pam_warn.so pam_unix_session.so</PRE
+></P
><P
->Starting with version 2.2.0 samba has Linux support for extensions to
-the name service switch infrastructure so that linux clients will
-be able to obtain resolution of MS Windows NetBIOS names to IP
-Addresses. To gain this functionality Samba needs to be compiled
-with appropriate arguments to the make command (ie: <B
+>The following example for the login program replaces the use of
+the <TT
+CLASS="FILENAME"
+>pam_pwdb.so</TT
+> module which uses the system
+password database (<TT
+CLASS="FILENAME"
+>/etc/passwd</TT
+>,
+<TT
+CLASS="FILENAME"
+>/etc/shadow</TT
+>, <TT
+CLASS="FILENAME"
+>/etc/group</TT
+>) with
+the module <TT
+CLASS="FILENAME"
+>pam_smbpass.so</TT
+> which uses the Samba
+database which contains the Microsoft MD4 encrypted password
+hashes. This database is stored in either
+<TT
+CLASS="FILENAME"
+>/usr/local/samba/private/smbpasswd</TT
+>,
+<TT
+CLASS="FILENAME"
+>/etc/samba/smbpasswd</TT
+>, or in
+<TT
+CLASS="FILENAME"
+>/etc/samba.d/smbpasswd</TT
+>, depending on the
+Samba implementation for your Unix/Linux system. The
+<TT
+CLASS="FILENAME"
+>pam_smbpass.so</TT
+> module is provided by
+Samba version 2.2.1 or later. It can be compiled by specifying the
+<B
CLASS="COMMAND"
->make
-nsswitch/libnss_wins.so</B
->). The resulting library should
-then be installed in the <TT
+>--with-pam_smbpass</B
+> options when running Samba's
+<TT
CLASS="FILENAME"
->/lib</TT
-> directory and
-the "wins" parameter needs to be added to the "hosts:" line in
-the <TT
+>configure</TT
+> script. For more information
+on the <TT
CLASS="FILENAME"
->/etc/nsswitch.conf</TT
-> file. At this point it
-will be possible to ping any MS Windows machine by it's NetBIOS
-machine name, so long as that machine is within the workgroup to
-which both the samba machine and the MS Windows machine belong.</P
-></DIV
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3038"
->19.2. Name resolution as used within MS Windows networking</A
-></H2
-><P
->MS Windows networking is predicated about the name each machine
-is given. This name is known variously (and inconsistently) as
-the "computer name", "machine name", "networking name", "netbios name",
-"SMB name". All terms mean the same thing with the exception of
-"netbios name" which can apply also to the name of the workgroup or the
-domain name. The terms "workgroup" and "domain" are really just a
-simply name with which the machine is associated. All NetBIOS names
-are exactly 16 characters in length. The 16th character is reserved.
-It is used to store a one byte value that indicates service level
-information for the NetBIOS name that is registered. A NetBIOS machine
-name is therefore registered for each service type that is provided by
-the client/server.</P
-><P
->The following are typical NetBIOS name/service type registrations:</P
+>pam_smbpass</TT
+> module, see the documentation
+in the <TT
+CLASS="FILENAME"
+>source/pam_smbpass</TT
+> directory of the Samba
+source distribution.</P
><P
><PRE
CLASS="PROGRAMLISTING"
-> Unique NetBIOS Names:
- MACHINENAME<00> = Server Service is running on MACHINENAME
- MACHINENAME<03> = Generic Machine Name (NetBIOS name)
- MACHINENAME<20> = LanMan Server service is running on MACHINENAME
- WORKGROUP<1b> = Domain Master Browser
-
- Group Names:
- WORKGROUP<03> = Generic Name registered by all members of WORKGROUP
- WORKGROUP<1c> = Domain Controllers / Netlogon Servers
- WORKGROUP<1d> = Local Master Browsers
- WORKGROUP<1e> = Internet Name Resolvers</PRE
+> #%PAM-1.0
+ # The PAM configuration file for the `login' service
+ #
+ auth required pam_smbpass.so nodelay
+ account required pam_smbpass.so nodelay
+ session required pam_smbpass.so nodelay
+ password required pam_smbpass.so nodelay</PRE
></P
><P
->It should be noted that all NetBIOS machines register their own
-names as per the above. This is in vast contrast to TCP/IP
-installations where traditionally the system administrator will
-determine in the /etc/hosts or in the DNS database what names
-are associated with each IP address.</P
-><P
->One further point of clarification should be noted, the <TT
+>The following is the PAM configuration file for a particular
+Linux system. The default condition uses <TT
CLASS="FILENAME"
->/etc/hosts</TT
->
-file and the DNS records do not provide the NetBIOS name type information
-that MS Windows clients depend on to locate the type of service that may
-be needed. An example of this is what happens when an MS Windows client
-wants to locate a domain logon server. It find this service and the IP
-address of a server that provides it by performing a lookup (via a
-NetBIOS broadcast) for enumeration of all machines that have
-registered the name type *<1c>. A logon request is then sent to each
-IP address that is returned in the enumerated list of IP addresses. Which
-ever machine first replies then ends up providing the logon services.</P
+>pam_pwdb.so</TT
+>.</P
><P
->The name "workgroup" or "domain" really can be confusing since these
-have the added significance of indicating what is the security
-architecture of the MS Windows network. The term "workgroup" indicates
-that the primary nature of the network environment is that of a
-peer-to-peer design. In a WORKGROUP all machines are responsible for
-their own security, and generally such security is limited to use of
-just a password (known as SHARE MODE security). In most situations
-with peer-to-peer networking the users who control their own machines
-will simply opt to have no security at all. It is possible to have
-USER MODE security in a WORKGROUP environment, thus requiring use
-of a user name and a matching password.</P
+><PRE
+CLASS="PROGRAMLISTING"
+> #%PAM-1.0
+ # The PAM configuration file for the `samba' service
+ #
+ auth required pam_pwdb.so nullok nodelay shadow audit
+ account required pam_pwdb.so audit nodelay
+ session required pam_pwdb.so nodelay
+ password required pam_pwdb.so shadow md5</PRE
+></P
><P
->MS Windows networking is thus predetermined to use machine names
-for all local and remote machine message passing. The protocol used is
-called Server Message Block (SMB) and this is implemented using
-the NetBIOS protocol (Network Basic Input Output System). NetBIOS can
-be encapsulated using LLC (Logical Link Control) protocol - in which case
-the resulting protocol is called NetBEUI (Network Basic Extended User
-Interface). NetBIOS can also be run over IPX (Internetworking Packet
-Exchange) protocol as used by Novell NetWare, and it can be run
-over TCP/IP protocols - in which case the resulting protocol is called
-NBT or NetBT, the NetBIOS over TCP/IP.</P
+>In the following example the decision has been made to use the
+smbpasswd database even for basic samba authentication. Such a
+decision could also be made for the passwd program and would
+thus allow the smbpasswd passwords to be changed using the passwd
+program.</P
><P
->MS Windows machines use a complex array of name resolution mechanisms.
-Since we are primarily concerned with TCP/IP this demonstration is
-limited to this area.</P
+><PRE
+CLASS="PROGRAMLISTING"
+> #%PAM-1.0
+ # The PAM configuration file for the `samba' service
+ #
+ auth required pam_smbpass.so nodelay
+ account required pam_pwdb.so audit nodelay
+ session required pam_pwdb.so nodelay
+ password required pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf</PRE
+></P
><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN3050"
->19.2.1. The NetBIOS Name Cache</A
-></H3
-><P
->All MS Windows machines employ an in memory buffer in which is
-stored the NetBIOS names and IP addresses for all external
-machines that that machine has communicated with over the
-past 10-15 minutes. It is more efficient to obtain an IP address
-for a machine from the local cache than it is to go through all the
-configured name resolution mechanisms.</P
-><P
->If a machine whose name is in the local name cache has been shut
-down before the name had been expired and flushed from the cache, then
-an attempt to exchange a message with that machine will be subject
-to time-out delays. i.e.: Its name is in the cache, so a name resolution
-lookup will succeed, but the machine can not respond. This can be
-frustrating for users - but it is a characteristic of the protocol.</P
+CLASS="NOTE"
><P
->The MS Windows utility that allows examination of the NetBIOS
-name cache is called "nbtstat". The Samba equivalent of this
-is called "nmblookup".</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN3055"
->19.2.2. The LMHOSTS file</A
-></H3
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
->This file is usually located in MS Windows NT 4.0 or
-2000 in <TT
+>PAM allows stacking of authentication mechanisms. It is
+also possible to pass information obtained within one PAM module through
+to the next module in the PAM stack. Please refer to the documentation for
+your particular system implementation for details regarding the specific
+capabilities of PAM in this environment. Some Linux implmentations also
+provide the <TT
CLASS="FILENAME"
->C:\WINNT\SYSTEM32\DRIVERS\ETC</TT
-> and contains
-the IP Address and the machine name in matched pairs. The
+>pam_stack.so</TT
+> module that allows all
+authentication to be configured in a single central file. The
<TT
CLASS="FILENAME"
->LMHOSTS</TT
-> file performs NetBIOS name
-to IP address mapping oriented.</P
-><P
->It typically looks like:</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> # Copyright (c) 1998 Microsoft Corp.
- #
- # This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS
- # over TCP/IP) stack for Windows98
- #
- # This file contains the mappings of IP addresses to NT computernames
- # (NetBIOS) names. Each entry should be kept on an individual line.
- # The IP address should be placed in the first column followed by the
- # corresponding computername. The address and the comptername
- # should be separated by at least one space or tab. The "#" character
- # is generally used to denote the start of a comment (see the exceptions
- # below).
- #
- # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
- # files and offers the following extensions:
- #
- # #PRE
- # #DOM:<domain>
- # #INCLUDE <filename>
- # #BEGIN_ALTERNATE
- # #END_ALTERNATE
- # \0xnn (non-printing character support)
- #
- # Following any entry in the file with the characters "#PRE" will cause
- # the entry to be preloaded into the name cache. By default, entries are
- # not preloaded, but are parsed only after dynamic name resolution fails.
- #
- # Following an entry with the "#DOM:<domain>" tag will associate the
- # entry with the domain specified by <domain>. This affects how the
- # browser and logon services behave in TCP/IP environments. To preload
- # the host name associated with #DOM entry, it is necessary to also add a
- # #PRE to the line. The <domain> is always preloaded although it will not
- # be shown when the name cache is viewed.
- #
- # Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
- # software to seek the specified <filename> and parse it as if it were
- # local. <filename> is generally a UNC-based name, allowing a
- # centralized lmhosts file to be maintained on a server.
- # It is ALWAYS necessary to provide a mapping for the IP address of the
- # server prior to the #INCLUDE. This mapping must use the #PRE directive.
- # In addtion the share "public" in the example below must be in the
- # LanManServer list of "NullSessionShares" in order for client machines to
- # be able to read the lmhosts file successfully. This key is under
- # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
- # in the registry. Simply add "public" to the list found there.
- #
- # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
- # statements to be grouped together. Any single successful include
- # will cause the group to succeed.
- #
- # Finally, non-printing characters can be embedded in mappings by
- # first surrounding the NetBIOS name in quotations, then using the
- # \0xnn notation to specify a hex value for a non-printing character.
- #
- # The following example illustrates all of these extensions:
- #
- # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
- # 102.54.94.102 "appname \0x14" #special app server
- # 102.54.94.123 popular #PRE #source server
- # 102.54.94.117 localsrv #PRE #needed for the include
- #
- # #BEGIN_ALTERNATE
- # #INCLUDE \\localsrv\public\lmhosts
- # #INCLUDE \\rhino\public\lmhosts
- # #END_ALTERNATE
- #
- # In the above example, the "appname" server contains a special
- # character in its name, the "popular" and "localsrv" server names are
- # preloaded, and the "rhino" server name is specified so it can be used
- # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
- # system is unavailable.
- #
- # Note that the whole file is parsed including comments on each lookup,
- # so keeping the number of comments to a minimum will improve performance.
- # Therefore it is not advisable to simply add lmhosts file entries onto the
- # end of this file.</PRE
-></P
+>pam_stack.so</TT
+> method has some very devoted followers
+on the basis that it allows for easier administration. As with all issues in
+life though, every decision makes trade-offs, so you may want examine the
+PAM documentation for further helpful information.</P
+></TD
+></TR
+></TABLE
></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN3063"
->19.2.3. HOSTS file</A
-></H3
-><P
->This file is usually located in MS Windows NT 4.0 or 2000 in
-<TT
-CLASS="FILENAME"
->C:\WINNT\SYSTEM32\DRIVERS\ETC</TT
-> and contains
-the IP Address and the IP hostname in matched pairs. It can be
-used by the name resolution infrastructure in MS Windows, depending
-on how the TCP/IP environment is configured. This file is in
-every way the equivalent of the Unix/Linux <TT
-CLASS="FILENAME"
->/etc/hosts</TT
-> file.</P
></DIV
><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
><A
-NAME="AEN3068"
->19.2.4. DNS Lookup</A
-></H3
+NAME="AEN3383"
+>18.2. Distributed Authentication</A
+></H2
><P
->This capability is configured in the TCP/IP setup area in the network
-configuration facility. If enabled an elaborate name resolution sequence
-is followed the precise nature of which isdependant on what the NetBIOS
-Node Type parameter is configured to. A Node Type of 0 means use
-NetBIOS broadcast (over UDP broadcast) is first used if the name
-that is the subject of a name lookup is not found in the NetBIOS name
-cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to
-Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the
-WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast
-lookup is used.</P
+>The astute administrator will realize from this that the
+combination of <TT
+CLASS="FILENAME"
+>pam_smbpass.so</TT
+>,
+<B
+CLASS="COMMAND"
+>winbindd</B
+>, and a distributed
+passdb backend, such as ldap, will allow the establishment of a
+centrally managed, distributed
+user/password database that can also be used by all
+PAM (eg: Linux) aware programs and applications. This arrangement
+can have particularly potent advantages compared with the
+use of Microsoft Active Directory Service (ADS) in so far as
+reduction of wide area network authentication traffic.</P
></DIV
><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
><A
-NAME="AEN3071"
->19.2.5. WINS Lookup</A
-></H3
-><P
->A WINS (Windows Internet Name Server) service is the equivaent of the
-rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
-the names and IP addresses that are registered by a Windows client
-if the TCP/IP setup has been given at least one WINS Server IP Address.</P
-><P
->To configure Samba to be a WINS server the following parameter needs
-to be added to the <TT
-CLASS="FILENAME"
->smb.conf</TT
-> file:</P
+NAME="AEN3388"
+>18.3. PAM Configuration in smb.conf</A
+></H2
><P
-><PRE
-CLASS="PROGRAMLISTING"
-> wins support = Yes</PRE
-></P
+>There is an option in smb.conf called <A
+HREF="smb.conf.5.html#OBEYPAMRESTRICTIONS"
+TARGET="_top"
+>obey pam restrictions</A
+>.
+The following is from the on-line help for this option in SWAT;</P
><P
->To configure Samba to use a WINS server the following parameters are
-needed in the smb.conf file:</P
+>When Samba is configured to enable PAM support (i.e.
+<CODE
+CLASS="CONSTANT"
+>--with-pam</CODE
+>), this parameter will
+control whether or not Samba should obey PAM's account
+and session management directives. The default behavior
+is to use PAM for clear text authentication only and to
+ignore any account or session management. Note that Samba always
+ignores PAM for authentication in the case of
+<A
+HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
+TARGET="_top"
+>encrypt passwords = yes</A
+>.
+The reason is that PAM modules cannot support the challenge/response
+authentication mechanism needed in the presence of SMB
+password encryption. </P
><P
-><PRE
-CLASS="PROGRAMLISTING"
-> wins support = No
- wins server = xxx.xxx.xxx.xxx</PRE
+>Default: <B
+CLASS="COMMAND"
+>obey pam restrictions = no</B
></P
-><P
->where <VAR
-CLASS="REPLACEABLE"
->xxx.xxx.xxx.xxx</VAR
-> is the IP address
-of the WINS server.</P
-></DIV
></DIV
></DIV
><DIV
CLASS="CHAPTER"
><HR><H1
><A
-NAME="IMPROVED-BROWSING"
+NAME="VFS"
></A
->Chapter 20. Improved browsing in samba</H1
+>Chapter 19. Stackable VFS modules</H1
><DIV
CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN3090"
->20.1. Overview of browsing</A
+NAME="AEN3423"
+>19.1. Introduction and configuration</A
></H2
><P
->SMB networking provides a mechanism by which clients can access a list
-of machines in a network, a so-called "browse list". This list
-contains machines that are ready to offer file and/or print services
-to other machines within the network. Thus it does not include
-machines which aren't currently able to do server tasks. The browse
-list is heavily used by all SMB clients. Configuration of SMB
-browsing has been problematic for some Samba users, hence this
-document.</P
-><P
->MS Windows 2000 and later, as with Samba-3 and later, can be
-configured to not use NetBIOS over TCP/IP. When configured this way
-it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
-configured and operative. Browsing will NOT work if name resolution
-from SMB machine names to IP addresses does not function correctly.</P
-><P
->Where NetBIOS over TCP/IP is enabled use of a WINS server is highly
-recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
-WINS allows remote segment clients to obtain NetBIOS name_type information
-that can NOT be provided by any other means of name resolution.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3095"
->20.2. Browsing support in samba</A
-></H2
-><P
->Samba facilitates browsing. The browsing is supported by nmbd
-and is also controlled by options in the smb.conf file (see smb.conf(5)).
-Samba can act as a local browse master for a workgroup and the ability
-for samba to support domain logons and scripts is now available.</P
-><P
->Samba can also act as a domain master browser for a workgroup. This
-means that it will collate lists from local browse masters into a
-wide area network server list. In order for browse clients to
-resolve the names they may find in this list, it is recommended that
-both samba and your clients use a WINS server.</P
+>Since samba 3.0, samba supports stackable VFS(Virtual File System) modules.
+Samba passes each request to access the unix file system thru the loaded VFS modules.
+This chapter covers all the modules that come with the samba source and references to
+some external modules.</P
><P
->Note that you should NOT set Samba to be the domain master for a
-workgroup that has the same name as an NT Domain: on each wide area
-network, you must only ever have one domain master browser per workgroup,
-regardless of whether it is NT, Samba or any other type of domain master
-that is providing this service.</P
+>You may have problems to compile these modules, as shared libraries are
+compiled and linked in different ways on different systems.
+They currently have been tested against GNU/linux and IRIX.</P
><P
->[Note that nmbd can be configured as a WINS server, but it is not
-necessary to specifically use samba as your WINS server. MS Windows
-NT4, Server or Advanced Server 2000 or 2003 can be configured as
-your WINS server. In a mixed NT/2000/2003 server and samba environment on
-a Wide Area Network, it is recommended that you use the Microsoft
-WINS server capabilities. In a samba-only environment, it is
-recommended that you use one and only one Samba server as your WINS server.</P
+>To use the VFS modules, create a share similar to the one below. The
+important parameter is the <B
+CLASS="COMMAND"
+>vfs object</B
+> parameter which must point to
+the exact pathname of the shared library objects. For example, to log all access
+to files and use a recycle bin:
+
+<PRE
+CLASS="PROGRAMLISTING"
+> [audit]
+ comment = Audited /data directory
+ path = /data
+ vfs object = /path/to/audit.so /path/to/recycle.so
+ writeable = yes
+ browseable = yes</PRE
+></P
><P
->To get browsing to work you need to run nmbd as usual, but will need
-to use the "workgroup" option in smb.conf to control what workgroup
-Samba becomes a part of.</P
+>The modules are used in the order they are specified.</P
><P
->Samba also has a useful option for a Samba server to offer itself for
-browsing on another subnet. It is recommended that this option is only
-used for 'unusual' purposes: announcements over the internet, for
-example. See "remote announce" in the smb.conf man page. </P
+>Further documentation on writing VFS modules for Samba can be found in
+the Samba Developers Guide.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3103"
->20.3. Problem resolution</A
+NAME="AEN3432"
+>19.2. Included modules</A
></H2
+><DIV
+CLASS="SECT2"
+><H3
+CLASS="SECT2"
+><A
+NAME="AEN3434"
+>19.2.1. audit</A
+></H3
><P
->If something doesn't work then hopefully the log.nmb file will help
-you track down the problem. Try a debug level of 2 or 3 for finding
-problems. Also note that the current browse list usually gets stored
-in text form in a file called browse.dat.</P
-><P
->Note that if it doesn't work for you, then you should still be able to
-type the server name as \\SERVER in filemanager then hit enter and
-filemanager should display the list of available shares.</P
+>A simple module to audit file access to the syslog
+facility. The following operations are logged:
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>share</TD
+></TR
+><TR
+><TD
+>connect/disconnect</TD
+></TR
+><TR
+><TD
+>directory opens/create/remove</TD
+></TR
+><TR
+><TD
+>file open/close/rename/unlink/chmod</TD
+></TR
+></TBODY
+></TABLE
><P
->Some people find browsing fails because they don't have the global
-"guest account" set to a valid account. Remember that the IPC$
-connection that lists the shares is done as guest, and thus you must
-have a valid guest account.</P
+></P
+></P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3442"
+>19.2.2. extd_audit</A
+></H3
><P
-><SPAN
+>This module is identical with the <SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
->MS Windows 2000 and upwards (as with Samba) can be configured to disallow
-anonymous (ie: Guest account) access to the IPC$ share. In that case, the
-MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the
-name of the currently logged in user to query the IPC$ share. MS Windows
-9X clients are not able to do this and thus will NOT be able to browse
-server resources.</I
+>audit</I
></SPAN
+> module above except
+that it sends audit logs to both syslog as well as the smbd log file/s. The
+loglevel for this module is set in the smb.conf file. At loglevel = 0, only file
+and directory deletions and directory and file creations are logged. At loglevel = 1
+file opens are renames and permission changes are logged , while at loglevel = 2 file
+open and close calls are logged also.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3446"
+>19.2.3. recycle</A
+></H3
+><P
+>A recycle-bin like modules. When used any unlink call
+will be intercepted and files moved to the recycle
+directory instead of beeing deleted.</P
+><P
+>Supported options:
+<P
></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>vfs_recycle_bin:repository</DT
+><DD
+><P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:keeptree</DT
+><DD
><P
->Also, a lot of people are getting bitten by the problem of too many
-parameters on the command line of nmbd in inetd.conf. This trick is to
-not use spaces between the option and the parameter (eg: -d2 instead
-of -d 2), and to not use the -B and -N options. New versions of nmbd
-are now far more likely to correctly find your broadcast and network
-address, so in most cases these aren't needed.</P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:versions</DT
+><DD
><P
->The other big problem people have is that their broadcast address,
-netmask or IP address is wrong (specified with the "interfaces" option
-in smb.conf)</P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:touch</DT
+><DD
+><P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:maxsize</DT
+><DD
+><P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:exclude</DT
+><DD
+><P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:exclude_dir</DT
+><DD
+><P
+>FIXME</P
+></DD
+><DT
+>vfs_recycle_bin:noversions</DT
+><DD
+><P
+>FIXME</P
+></DD
+></DL
+></DIV
+></P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3483"
+>19.2.4. netatalk</A
+></H3
+><P
+>A netatalk module, that will ease co-existence of samba and
+netatalk file sharing services.</P
+><P
+>Advantages compared to the old netatalk module:
+<P
+></P
+><TABLE
+BORDER="0"
+><TBODY
+><TR
+><TD
+>it doesn't care about creating of .AppleDouble forks, just keeps ones in sync</TD
+></TR
+><TR
+><TD
+>if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></P
+></DIV
></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3112"
->20.4. Browsing across subnets</A
+NAME="AEN3490"
+>19.3. VFS modules available elsewhere</A
></H2
><P
->Since the release of Samba 1.9.17(alpha1) Samba has been
-updated to enable it to support the replication of browse lists
-across subnet boundaries. New code and options have been added to
-achieve this. This section describes how to set this feature up
-in different settings.</P
-><P
->To see browse lists that span TCP/IP subnets (ie. networks separated
-by routers that don't pass broadcast traffic) you must set up at least
-one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
-NetBIOS name to IP address translation to be done by doing a direct
-query of the WINS server. This is done via a directed UDP packet on
-port 137 to the WINS server machine. The reason for a WINS server is
-that by default, all NetBIOS name to IP address translation is done
-by broadcasts from the querying machine. This means that machines
-on one subnet will not be able to resolve the names of machines on
-another subnet without using a WINS server.</P
+>This section contains a listing of various other VFS modules that
+have been posted but don't currently reside in the Samba CVS
+tree for one reason ot another (e.g. it is easy for the maintainer
+to have his or her own CVS tree).</P
><P
->Remember, for browsing across subnets to work correctly, all machines,
-be they Windows 95, Windows NT, or Samba servers must have the IP address
-of a WINS server given to them by a DHCP server, or by manual configuration
-(for Win95 and WinNT, this is in the TCP/IP Properties, under Network
-settings) for Samba this is in the smb.conf file.</P
+>No statemets about the stability or functionality any module
+should be implied due to its presence here.</P
><DIV
CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN3117"
->20.4.1. How does cross subnet browsing work ?</A
+NAME="AEN3494"
+>19.3.1. DatabaseFS</A
></H3
><P
->Cross subnet browsing is a complicated dance, containing multiple
-moving parts. It has taken Microsoft several years to get the code
-that achieves this correct, and Samba lags behind in some areas.
-Samba is capable of cross subnet browsing when configured correctly.</P
-><P
->Consider a network set up as follows :</P
+>URL: <A
+HREF="http://www.css.tayloru.edu/~elorimer/databasefs/index.php"
+TARGET="_top"
+>http://www.css.tayloru.edu/~elorimer/databasefs/index.php</A
+></P
><P
-><PRE
-CLASS="PROGRAMLISTING"
-> (DMB)
- N1_A N1_B N1_C N1_D N1_E
- | | | | |
- -------------------------------------------------------
- | subnet 1 |
- +---+ +---+
- |R1 | Router 1 Router 2 |R2 |
- +---+ +---+
- | |
- | subnet 2 subnet 3 |
- -------------------------- ------------------------------------
- | | | | | | | |
- N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D
- (WINS)</PRE
+>By <A
+HREF="mailto:elorimer@css.tayloru.edu"
+TARGET="_top"
+>Eric Lorimer</A
+>.</P
+><P
+>I have created a VFS module which implements a fairly complete read-only
+filesystem. It presents information from a database as a filesystem in
+a modular and generic way to allow different databases to be used
+(originally designed for organizing MP3s under directories such as
+"Artists," "Song Keywords," etc... I have since applied it to a student
+roster database very easily). The directory structure is stored in the
+database itself and the module makes no assumptions about the database
+structure beyond the table it requires to run.</P
+><P
+>Any feedback would be appreciated: comments, suggestions, patches,
+etc... If nothing else, hopefully it might prove useful for someone
+else who wishes to create a virtual filesystem.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3502"
+>19.3.2. vscan</A
+></H3
+><P
+>URL: <A
+HREF="http://www.openantivirus.org/"
+TARGET="_top"
+>http://www.openantivirus.org/</A
></P
><P
->Consisting of 3 subnets (1, 2, 3) connected by two routers
-(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines
-on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume
-for the moment that all these machines are configured to be in the
-same workgroup (for simplicities sake). Machine N1_C on subnet 1
-is configured as Domain Master Browser (ie. it will collate the
-browse lists for the workgroup). Machine N2_D is configured as
-WINS server and all the other machines are configured to register
-their NetBIOS names with it.</P
+>samba-vscan is a proof-of-concept module for Samba, which
+uses the VFS (virtual file system) features of Samba 2.2.x/3.0
+alphaX. Of couse, Samba has to be compiled with VFS support.
+samba-vscan supports various virus scanners and is maintained
+by Rainer Link.</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="MSDFS"
+></A
+>Chapter 20. Hosting a Microsoft Distributed File System tree on Samba</H1
+><DIV
+CLASS="SECT1"
+><H2
+CLASS="SECT1"
+><A
+NAME="AEN3518"
+>20.1. Instructions</A
+></H2
><P
->As all these machines are booted up, elections for master browsers
-will take place on each of the three subnets. Assume that machine
-N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on
-subnet 3 - these machines are known as local master browsers for
-their particular subnet. N1_C has an advantage in winning as the
-local master browser on subnet 1 as it is set up as Domain Master
-Browser.</P
+>The Distributed File System (or Dfs) provides a means of
+ separating the logical view of files and directories that users
+ see from the actual physical locations of these resources on the
+ network. It allows for higher availability, smoother storage expansion,
+ load balancing etc. For more information about Dfs, refer to <A
+HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp"
+TARGET="_top"
+> Microsoft documentation</A
+>. </P
><P
->On each of the three networks, machines that are configured to
-offer sharing services will broadcast that they are offering
-these services. The local master browser on each subnet will
-receive these broadcasts and keep a record of the fact that
-the machine is offering a service. This list of records is
-the basis of the browse list. For this case, assume that
-all the machines are configured to offer services so all machines
-will be on the browse list.</P
+>This document explains how to host a Dfs tree on a Unix
+ machine (for Dfs-aware clients to browse) using Samba.</P
><P
->For each network, the local master browser on that network is
-considered 'authoritative' for all the names it receives via
-local broadcast. This is because a machine seen by the local
-master browser via a local broadcast must be on the same
-network as the local master browser and thus is a 'trusted'
-and 'verifiable' resource. Machines on other networks that
-the local master browsers learn about when collating their
-browse lists have not been directly seen - these records are
-called 'non-authoritative'.</P
+>To enable SMB-based DFS for Samba, configure it with the
+ <VAR
+CLASS="PARAMETER"
+>--with-msdfs</VAR
+> option. Once built, a
+ Samba server can be made a Dfs server by setting the global
+ boolean <A
+HREF="smb.conf.5.html#HOSTMSDFS"
+TARGET="_top"
+><VAR
+CLASS="PARAMETER"
+> host msdfs</VAR
+></A
+> parameter in the <TT
+CLASS="FILENAME"
+>smb.conf
+ </TT
+> file. You designate a share as a Dfs root using the share
+ level boolean <A
+HREF="smb.conf.5.html#MSDFSROOT"
+TARGET="_top"
+><VAR
+CLASS="PARAMETER"
+> msdfs root</VAR
+></A
+> parameter. A Dfs root directory on
+ Samba hosts Dfs links in the form of symbolic links that point
+ to other servers. For example, a symbolic link
+ <TT
+CLASS="FILENAME"
+>junction->msdfs:storage1\share1</TT
+> in
+ the share directory acts as the Dfs junction. When Dfs-aware
+ clients attempt to access the junction link, they are redirected
+ to the storage location (in this case, \\storage1\share1).</P
><P
->At this point the browse lists look as follows (these are
-the machines you would see in your network neighborhood if
-you looked in it on a particular network right now).</P
+>Dfs trees on Samba work with all Dfs-aware clients ranging
+ from Windows 95 to 2000.</P
+><P
+>Here's an example of setting up a Dfs tree on a Samba
+ server.</P
><P
><PRE
CLASS="PROGRAMLISTING"
->Subnet Browse Master List
------- ------------- ----
-Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E
-
-Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
+># The smb.conf file:
+[global]
+ netbios name = SAMBA
+ host msdfs = yes
-Subnet3 N3_D N3_A, N3_B, N3_C, N3_D</PRE
+[dfs]
+ path = /export/dfsroot
+ msdfs root = yes
+ </PRE
></P
><P
->Note that at this point all the subnets are separate, no
-machine is seen across any of the subnets.</P
+>In the /export/dfsroot directory we set up our dfs links to
+ other servers on the network.</P
><P
->Now examine subnet 2. As soon as N2_B has become the local
-master browser it looks for a Domain master browser to synchronize
-its browse list with. It does this by querying the WINS server
-(N2_D) for the IP address associated with the NetBIOS name
-WORKGROUP>1B<. This name was registerd by the Domain master
-browser (N1_C) with the WINS server as soon as it was booted.</P
+><SAMP
+CLASS="PROMPT"
+>root# </SAMP
+><KBD
+CLASS="USERINPUT"
+>cd /export/dfsroot</KBD
+></P
><P
->Once N2_B knows the address of the Domain master browser it
-tells it that is the local master browser for subnet 2 by
-sending a MasterAnnouncement packet as a UDP port 138 packet.
-It then synchronizes with it by doing a NetServerEnum2 call. This
-tells the Domain Master Browser to send it all the server
-names it knows about. Once the domain master browser receives
-the MasterAnnouncement packet it schedules a synchronization
-request to the sender of that packet. After both synchronizations
-are done the browse lists look like :</P
+><SAMP
+CLASS="PROMPT"
+>root# </SAMP
+><KBD
+CLASS="USERINPUT"
+>chown root /export/dfsroot</KBD
+></P
><P
-><PRE
-CLASS="PROGRAMLISTING"
->Subnet Browse Master List
------- ------------- ----
-Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
- N2_A(*), N2_B(*), N2_C(*), N2_D(*)
-
-Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
-
-Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
-
-Servers with a (*) after them are non-authoritative names.</PRE
+><SAMP
+CLASS="PROMPT"
+>root# </SAMP
+><KBD
+CLASS="USERINPUT"
+>chmod 755 /export/dfsroot</KBD
></P
><P
->At this point users looking in their network neighborhood on
-subnets 1 or 2 will see all the servers on both, users on
-subnet 3 will still only see the servers on their own subnet.</P
+><SAMP
+CLASS="PROMPT"
+>root# </SAMP
+><KBD
+CLASS="USERINPUT"
+>ln -s msdfs:storageA\\shareA linka</KBD
+></P
+><P
+><SAMP
+CLASS="PROMPT"
+>root# </SAMP
+><KBD
+CLASS="USERINPUT"
+>ln -s msdfs:serverB\\share,serverC\\share linkb</KBD
+></P
+><P
+>You should set up the permissions and ownership of
+ the directory acting as the Dfs root such that only designated
+ users can create, delete or modify the msdfs links. Also note
+ that symlink names should be all lowercase. This limitation exists
+ to have Samba avoid trying all the case combinations to get at
+ the link name. Finally set up the symbolic links to point to the
+ network shares you want, and start Samba.</P
+><P
+>Users on Dfs-aware clients can now browse the Dfs tree
+ on the Samba server at \\samba\dfs. Accessing
+ links linka or linkb (which appear as directories to the client)
+ takes users directly to the appropriate shares on the network.</P
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3553"
+>20.1.1. Notes</A
+></H3
+><P
+></P
+><UL
+><LI
+><P
+>Windows clients need to be rebooted
+ if a previously mounted non-dfs share is made a dfs
+ root or vice versa. A better way is to introduce a
+ new share and make it the dfs root.</P
+></LI
+><LI
+><P
+>Currently there's a restriction that msdfs
+ symlink names should all be lowercase.</P
+></LI
+><LI
+><P
+>For security purposes, the directory
+ acting as the root of the Dfs tree should have ownership
+ and permissions set so that only designated users can
+ modify the symbolic links in the directory.</P
+></LI
+></UL
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="INTEGRATE-MS-NETWORKS"
+></A
+>Chapter 21. Integrating MS Windows networks with Samba</H1
+><P
+>This section deals with NetBIOS over TCP/IP name to IP address resolution. If you
+your MS Windows clients are NOT configured to use NetBIOS over TCP/IP then this
+section does not apply to your installation. If your installation involves use of
+NetBIOS over TCP/IP then this section may help you to resolve networking problems.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+> NetBIOS over TCP/IP has nothing to do with NetBEUI. NetBEUI is NetBIOS
+ over Logical Link Control (LLC). On modern networks it is highly advised
+ to NOT run NetBEUI at all. Note also that there is NO such thing as
+ NetBEUI over TCP/IP - the existence of such a protocol is a complete
+ and utter mis-apprehension.</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>Since the introduction of MS Windows 2000 it is possible to run MS Windows networking
+without the use of NetBIOS over TCP/IP. NetBIOS over TCP/IP uses UDP port 137 for NetBIOS
+name resolution and uses TCP port 139 for NetBIOS session services. When NetBIOS over
+TCP/IP is disabled on MS Windows 2000 and later clients then only TCP port 445 will be
+used and UDP port 137 and TCP port 139 will not.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>When using Windows 2000 or later clients, if NetBIOS over TCP/IP is NOT disabled, then
+the client will use UDP port 137 (NetBIOS Name Service, also known as the Windows Internet
+Name Service or WINS), TCP port 139 AND TCP port 445 (for actual file and print traffic).</P
+></TD
+></TR
+></TABLE
+></DIV
+><P
+>When NetBIOS over TCP/IP is disabled the use of DNS is essential. Most installations that
+disable NetBIOS over TCP/IP today use MS Active Directory Service (ADS). ADS requires
+Dynamic DNS with Service Resource Records (SRV RR) and with Incremental Zone Transfers (IXFR).
+Use of DHCP with ADS is recommended as a further means of maintaining central control
+over client workstation network configuration.</P
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN3580"
+>21.1. Name Resolution in a pure Unix/Linux world</A
+></H2
+><P
+>The key configuration files covered in this section are:</P
+><P
+></P
+><UL
+><LI
+><P
+><TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="FILENAME"
+>/etc/host.conf</TT
+></P
+></LI
+><LI
+><P
+><TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+></P
+></LI
+></UL
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3596"
+>21.1.1. <TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+></A
+></H3
+><P
+>Contains a static list of IP Addresses and names.
+eg:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> 127.0.0.1 localhost localhost.localdomain
+ 192.168.1.1 bigbox.caldera.com bigbox alias4box</PRE
+></P
+><P
+>The purpose of <TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+> is to provide a
+name resolution mechanism so that uses do not need to remember
+IP addresses.</P
+><P
+>Network packets that are sent over the physical network transport
+layer communicate not via IP addresses but rather using the Media
+Access Control address, or MAC address. IP Addresses are currently
+32 bits in length and are typically presented as four (4) decimal
+numbers that are separated by a dot (or period). eg: 168.192.1.1</P
+><P
+>MAC Addresses use 48 bits (or 6 bytes) and are typically represented
+as two digit hexadecimal numbers separated by colons. eg:
+40:8e:0a:12:34:56</P
+><P
+>Every network interfrace must have an MAC address. Associated with
+a MAC address there may be one or more IP addresses. There is NO
+relationship between an IP address and a MAC address, all such assignments
+are arbitary or discretionary in nature. At the most basic level all
+network communications takes place using MAC addressing. Since MAC
+addresses must be globally unique, and generally remains fixed for
+any particular interface, the assignment of an IP address makes sense
+from a network management perspective. More than one IP address can
+be assigned per MAC address. One address must be the primary IP address,
+this is the address that will be returned in the ARP reply.</P
+><P
+>When a user or a process wants to communicate with another machine
+the protocol implementation ensures that the "machine name" or "host
+name" is resolved to an IP address in a manner that is controlled
+by the TCP/IP configuration control files. The file
+<TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+> is one such file.</P
+><P
+>When the IP address of the destination interface has been
+determined a protocol called ARP/RARP is used to identify
+the MAC address of the target interface. ARP stands for Address
+Resolution Protocol, and is a broadcast oriented method that
+uses UDP (User Datagram Protocol) to send a request to all
+interfaces on the local network segment using the all 1's MAC
+address. Network interfaces are programmed to respond to two
+MAC addresses only; their own unique address and the address
+ff:ff:ff:ff:ff:ff. The reply packet from an ARP request will
+contain the MAC address and the primary IP address for each
+interface.</P
+><P
+>The <TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+> file is foundational to all
+Unix/Linux TCP/IP installations and as a minumum will contain
+the localhost and local network interface IP addresses and the
+primary names by which they are known within the local machine.
+This file helps to prime the pump so that a basic level of name
+resolution can exist before any other method of name resolution
+becomes available.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3612"
+>21.1.2. <TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></A
+></H3
+><P
+>This file tells the name resolution libraries:</P
+><P
+></P
+><UL
+><LI
+><P
+>The name of the domain to which the machine
+ belongs
+ </P
+></LI
+><LI
+><P
+>The name(s) of any domains that should be
+ automatically searched when trying to resolve unqualified
+ host names to their IP address
+ </P
+></LI
+><LI
+><P
+>The name or IP address of available Domain
+ Name Servers that may be asked to perform name to address
+ translation lookups
+ </P
+></LI
+></UL
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3623"
+>21.1.3. <TT
+CLASS="FILENAME"
+>/etc/host.conf</TT
+></A
+></H3
+><P
+><TT
+CLASS="FILENAME"
+>/etc/host.conf</TT
+> is the primary means by
+which the setting in /etc/resolv.conf may be affected. It is a
+critical configuration file. This file controls the order by
+which name resolution may procede. The typical structure is:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> order hosts,bind
+ multi on</PRE
+></P
+><P
+>then both addresses should be returned. Please refer to the
+man page for host.conf for further details.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3631"
+>21.1.4. <TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+></A
+></H3
+><P
+>This file controls the actual name resolution targets. The
+file typically has resolver object specifications as follows:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> # /etc/nsswitch.conf
+ #
+ # Name Service Switch configuration file.
+ #
+
+ passwd: compat
+ # Alternative entries for password authentication are:
+ # passwd: compat files nis ldap winbind
+ shadow: compat
+ group: compat
+
+ hosts: files nis dns
+ # Alternative entries for host name resolution are:
+ # hosts: files dns nis nis+ hesoid db compat ldap wins
+ networks: nis files dns
+
+ ethers: nis files
+ protocols: nis files
+ rpc: nis files
+ services: nis files</PRE
+></P
+><P
+>Of course, each of these mechanisms requires that the appropriate
+facilities and/or services are correctly configured.</P
+><P
+>It should be noted that unless a network request/message must be
+sent, TCP/IP networks are silent. All TCP/IP communications assumes a
+principal of speaking only when necessary.</P
+><P
+>Starting with version 2.2.0 samba has Linux support for extensions to
+the name service switch infrastructure so that linux clients will
+be able to obtain resolution of MS Windows NetBIOS names to IP
+Addresses. To gain this functionality Samba needs to be compiled
+with appropriate arguments to the make command (ie: <B
+CLASS="COMMAND"
+>make
+nsswitch/libnss_wins.so</B
+>). The resulting library should
+then be installed in the <TT
+CLASS="FILENAME"
+>/lib</TT
+> directory and
+the "wins" parameter needs to be added to the "hosts:" line in
+the <TT
+CLASS="FILENAME"
+>/etc/nsswitch.conf</TT
+> file. At this point it
+will be possible to ping any MS Windows machine by it's NetBIOS
+machine name, so long as that machine is within the workgroup to
+which both the samba machine and the MS Windows machine belong.</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN3643"
+>21.2. Name resolution as used within MS Windows networking</A
+></H2
+><P
+>MS Windows networking is predicated about the name each machine
+is given. This name is known variously (and inconsistently) as
+the "computer name", "machine name", "networking name", "netbios name",
+"SMB name". All terms mean the same thing with the exception of
+"netbios name" which can apply also to the name of the workgroup or the
+domain name. The terms "workgroup" and "domain" are really just a
+simply name with which the machine is associated. All NetBIOS names
+are exactly 16 characters in length. The 16th character is reserved.
+It is used to store a one byte value that indicates service level
+information for the NetBIOS name that is registered. A NetBIOS machine
+name is therefore registered for each service type that is provided by
+the client/server.</P
+><P
+>The following are typical NetBIOS name/service type registrations:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> Unique NetBIOS Names:
+ MACHINENAME<00> = Server Service is running on MACHINENAME
+ MACHINENAME<03> = Generic Machine Name (NetBIOS name)
+ MACHINENAME<20> = LanMan Server service is running on MACHINENAME
+ WORKGROUP<1b> = Domain Master Browser
+
+ Group Names:
+ WORKGROUP<03> = Generic Name registered by all members of WORKGROUP
+ WORKGROUP<1c> = Domain Controllers / Netlogon Servers
+ WORKGROUP<1d> = Local Master Browsers
+ WORKGROUP<1e> = Internet Name Resolvers</PRE
+></P
+><P
+>It should be noted that all NetBIOS machines register their own
+names as per the above. This is in vast contrast to TCP/IP
+installations where traditionally the system administrator will
+determine in the /etc/hosts or in the DNS database what names
+are associated with each IP address.</P
+><P
+>One further point of clarification should be noted, the <TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+>
+file and the DNS records do not provide the NetBIOS name type information
+that MS Windows clients depend on to locate the type of service that may
+be needed. An example of this is what happens when an MS Windows client
+wants to locate a domain logon server. It find this service and the IP
+address of a server that provides it by performing a lookup (via a
+NetBIOS broadcast) for enumeration of all machines that have
+registered the name type *<1c>. A logon request is then sent to each
+IP address that is returned in the enumerated list of IP addresses. Which
+ever machine first replies then ends up providing the logon services.</P
+><P
+>The name "workgroup" or "domain" really can be confusing since these
+have the added significance of indicating what is the security
+architecture of the MS Windows network. The term "workgroup" indicates
+that the primary nature of the network environment is that of a
+peer-to-peer design. In a WORKGROUP all machines are responsible for
+their own security, and generally such security is limited to use of
+just a password (known as SHARE MODE security). In most situations
+with peer-to-peer networking the users who control their own machines
+will simply opt to have no security at all. It is possible to have
+USER MODE security in a WORKGROUP environment, thus requiring use
+of a user name and a matching password.</P
+><P
+>MS Windows networking is thus predetermined to use machine names
+for all local and remote machine message passing. The protocol used is
+called Server Message Block (SMB) and this is implemented using
+the NetBIOS protocol (Network Basic Input Output System). NetBIOS can
+be encapsulated using LLC (Logical Link Control) protocol - in which case
+the resulting protocol is called NetBEUI (Network Basic Extended User
+Interface). NetBIOS can also be run over IPX (Internetworking Packet
+Exchange) protocol as used by Novell NetWare, and it can be run
+over TCP/IP protocols - in which case the resulting protocol is called
+NBT or NetBT, the NetBIOS over TCP/IP.</P
+><P
+>MS Windows machines use a complex array of name resolution mechanisms.
+Since we are primarily concerned with TCP/IP this demonstration is
+limited to this area.</P
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3655"
+>21.2.1. The NetBIOS Name Cache</A
+></H3
+><P
+>All MS Windows machines employ an in memory buffer in which is
+stored the NetBIOS names and IP addresses for all external
+machines that that machine has communicated with over the
+past 10-15 minutes. It is more efficient to obtain an IP address
+for a machine from the local cache than it is to go through all the
+configured name resolution mechanisms.</P
+><P
+>If a machine whose name is in the local name cache has been shut
+down before the name had been expired and flushed from the cache, then
+an attempt to exchange a message with that machine will be subject
+to time-out delays. i.e.: Its name is in the cache, so a name resolution
+lookup will succeed, but the machine can not respond. This can be
+frustrating for users - but it is a characteristic of the protocol.</P
+><P
+>The MS Windows utility that allows examination of the NetBIOS
+name cache is called "nbtstat". The Samba equivalent of this
+is called "nmblookup".</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3660"
+>21.2.2. The LMHOSTS file</A
+></H3
+><P
+>This file is usually located in MS Windows NT 4.0 or
+2000 in <TT
+CLASS="FILENAME"
+>C:\WINNT\SYSTEM32\DRIVERS\ETC</TT
+> and contains
+the IP Address and the machine name in matched pairs. The
+<TT
+CLASS="FILENAME"
+>LMHOSTS</TT
+> file performs NetBIOS name
+to IP address mapping oriented.</P
+><P
+>It typically looks like:</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> # Copyright (c) 1998 Microsoft Corp.
+ #
+ # This is a sample LMHOSTS file used by the Microsoft Wins Client (NetBIOS
+ # over TCP/IP) stack for Windows98
+ #
+ # This file contains the mappings of IP addresses to NT computernames
+ # (NetBIOS) names. Each entry should be kept on an individual line.
+ # The IP address should be placed in the first column followed by the
+ # corresponding computername. The address and the comptername
+ # should be separated by at least one space or tab. The "#" character
+ # is generally used to denote the start of a comment (see the exceptions
+ # below).
+ #
+ # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
+ # files and offers the following extensions:
+ #
+ # #PRE
+ # #DOM:<domain>
+ # #INCLUDE <filename>
+ # #BEGIN_ALTERNATE
+ # #END_ALTERNATE
+ # \0xnn (non-printing character support)
+ #
+ # Following any entry in the file with the characters "#PRE" will cause
+ # the entry to be preloaded into the name cache. By default, entries are
+ # not preloaded, but are parsed only after dynamic name resolution fails.
+ #
+ # Following an entry with the "#DOM:<domain>" tag will associate the
+ # entry with the domain specified by <domain>. This affects how the
+ # browser and logon services behave in TCP/IP environments. To preload
+ # the host name associated with #DOM entry, it is necessary to also add a
+ # #PRE to the line. The <domain> is always preloaded although it will not
+ # be shown when the name cache is viewed.
+ #
+ # Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
+ # software to seek the specified <filename> and parse it as if it were
+ # local. <filename> is generally a UNC-based name, allowing a
+ # centralized lmhosts file to be maintained on a server.
+ # It is ALWAYS necessary to provide a mapping for the IP address of the
+ # server prior to the #INCLUDE. This mapping must use the #PRE directive.
+ # In addtion the share "public" in the example below must be in the
+ # LanManServer list of "NullSessionShares" in order for client machines to
+ # be able to read the lmhosts file successfully. This key is under
+ # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
+ # in the registry. Simply add "public" to the list found there.
+ #
+ # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
+ # statements to be grouped together. Any single successful include
+ # will cause the group to succeed.
+ #
+ # Finally, non-printing characters can be embedded in mappings by
+ # first surrounding the NetBIOS name in quotations, then using the
+ # \0xnn notation to specify a hex value for a non-printing character.
+ #
+ # The following example illustrates all of these extensions:
+ #
+ # 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
+ # 102.54.94.102 "appname \0x14" #special app server
+ # 102.54.94.123 popular #PRE #source server
+ # 102.54.94.117 localsrv #PRE #needed for the include
+ #
+ # #BEGIN_ALTERNATE
+ # #INCLUDE \\localsrv\public\lmhosts
+ # #INCLUDE \\rhino\public\lmhosts
+ # #END_ALTERNATE
+ #
+ # In the above example, the "appname" server contains a special
+ # character in its name, the "popular" and "localsrv" server names are
+ # preloaded, and the "rhino" server name is specified so it can be used
+ # to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
+ # system is unavailable.
+ #
+ # Note that the whole file is parsed including comments on each lookup,
+ # so keeping the number of comments to a minimum will improve performance.
+ # Therefore it is not advisable to simply add lmhosts file entries onto the
+ # end of this file.</PRE
+></P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3668"
+>21.2.3. HOSTS file</A
+></H3
+><P
+>This file is usually located in MS Windows NT 4.0 or 2000 in
+<TT
+CLASS="FILENAME"
+>C:\WINNT\SYSTEM32\DRIVERS\ETC</TT
+> and contains
+the IP Address and the IP hostname in matched pairs. It can be
+used by the name resolution infrastructure in MS Windows, depending
+on how the TCP/IP environment is configured. This file is in
+every way the equivalent of the Unix/Linux <TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+> file.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3673"
+>21.2.4. DNS Lookup</A
+></H3
+><P
+>This capability is configured in the TCP/IP setup area in the network
+configuration facility. If enabled an elaborate name resolution sequence
+is followed the precise nature of which isdependant on what the NetBIOS
+Node Type parameter is configured to. A Node Type of 0 means use
+NetBIOS broadcast (over UDP broadcast) is first used if the name
+that is the subject of a name lookup is not found in the NetBIOS name
+cache. If that fails then DNS, HOSTS and LMHOSTS are checked. If set to
+Node Type 8, then a NetBIOS Unicast (over UDP Unicast) is sent to the
+WINS Server to obtain a lookup before DNS, HOSTS, LMHOSTS, or broadcast
+lookup is used.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3676"
+>21.2.5. WINS Lookup</A
+></H3
+><P
+>A WINS (Windows Internet Name Server) service is the equivaent of the
+rfc1001/1002 specified NBNS (NetBIOS Name Server). A WINS server stores
+the names and IP addresses that are registered by a Windows client
+if the TCP/IP setup has been given at least one WINS Server IP Address.</P
><P
->The same sequence of events that occured for N2_B now occurs
-for the local master browser on subnet 3 (N3_D). When it
-synchronizes browse lists with the domain master browser (N1_A)
-it gets both the server entries on subnet 1, and those on
-subnet 2. After N3_D has synchronized with N1_C and vica-versa
-the browse lists look like.</P
+>To configure Samba to be a WINS server the following parameter needs
+to be added to the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file:</P
><P
><PRE
CLASS="PROGRAMLISTING"
->Subnet Browse Master List
------- ------------- ----
-Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
- N2_A(*), N2_B(*), N2_C(*), N2_D(*),
- N3_A(*), N3_B(*), N3_C(*), N3_D(*)
-
-Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
-
-Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
- N2_A(*), N2_B(*), N2_C(*), N2_D(*)
-
-Servers with a (*) after them are non-authoritative names.</PRE
+> wins support = Yes</PRE
></P
><P
->At this point users looking in their network neighborhood on
-subnets 1 or 3 will see all the servers on all sunbets, users on
-subnet 2 will still only see the servers on subnets 1 and 2, but not 3.</P
-><P
->Finally, the local master browser for subnet 2 (N2_B) will sync again
-with the domain master browser (N1_C) and will recieve the missing
-server entries. Finally - and as a steady state (if no machines
-are removed or shut off) the browse lists will look like :</P
+>To configure Samba to use a WINS server the following parameters are
+needed in the smb.conf file:</P
><P
><PRE
CLASS="PROGRAMLISTING"
->Subnet Browse Master List
------- ------------- ----
-Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
- N2_A(*), N2_B(*), N2_C(*), N2_D(*),
- N3_A(*), N3_B(*), N3_C(*), N3_D(*)
-
-Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
- N3_A(*), N3_B(*), N3_C(*), N3_D(*)
-
-Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
- N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
- N2_A(*), N2_B(*), N2_C(*), N2_D(*)
-
-Servers with a (*) after them are non-authoritative names.</PRE
-></P
-><P
->Synchronizations between the domain master browser and local
-master browsers will continue to occur, but this should be a
-steady state situation.</P
-><P
->If either router R1 or R2 fails the following will occur:</P
-><P
+> wins support = No
+ wins server = xxx.xxx.xxx.xxx</PRE
></P
-><OL
-TYPE="1"
-><LI
-><P
-> Names of computers on each side of the inaccessible network fragments
- will be maintained for as long as 36 minutes, in the network neighbourhood
- lists.
- </P
-></LI
-><LI
-><P
-> Attempts to connect to these inaccessible computers will fail, but the
- names will not be removed from the network neighbourhood lists.
- </P
-></LI
-><LI
><P
-> If one of the fragments is cut off from the WINS server, it will only
- be able to access servers on its local subnet, by using subnet-isolated
- broadcast NetBIOS name resolution. The effects are similar to that of
- losing access to a DNS server.
- </P
-></LI
-></OL
+>where <VAR
+CLASS="REPLACEABLE"
+>xxx.xxx.xxx.xxx</VAR
+> is the IP address
+of the WINS server.</P
+></DIV
></DIV
></DIV
><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
+CLASS="CHAPTER"
+><HR><H1
><A
-NAME="AEN3152"
->20.5. Setting up a WINS server</A
-></H2
-><P
->Either a Samba machine or a Windows NT Server machine may be set up
-as a WINS server. To set a Samba machine to be a WINS server you must
-add the following option to the smb.conf file on the selected machine :
-in the [globals] section add the line </P
-><P
-><B
-CLASS="COMMAND"
-> wins support = yes</B
-></P
-><P
->Versions of Samba prior to 1.9.17 had this parameter default to
-yes. If you have any older versions of Samba on your network it is
-strongly suggested you upgrade to a recent version, or at the very
-least set the parameter to 'no' on all these machines.</P
-><P
->Machines with "<B
-CLASS="COMMAND"
->wins support = yes</B
->" will keep a list of
-all NetBIOS names registered with them, acting as a DNS for NetBIOS names.</P
-><P
->You should set up only ONE wins server. Do NOT set the
-"<B
-CLASS="COMMAND"
->wins support = yes</B
->" option on more than one Samba
-server.</P
-><P
->To set up a Windows NT Server as a WINS server you need to set up
-the WINS service - see your NT documentation for details. Note that
-Windows NT WINS Servers can replicate to each other, allowing more
-than one to be set up in a complex subnet environment. As Microsoft
-refuse to document these replication protocols Samba cannot currently
-participate in these replications. It is possible in the future that
-a Samba->Samba WINS replication protocol may be defined, in which
-case more than one Samba machine could be set up as a WINS server
-but currently only one Samba server should have the "wins support = yes"
-parameter set.</P
-><P
->After the WINS server has been configured you must ensure that all
-machines participating on the network are configured with the address
-of this WINS server. If your WINS server is a Samba machine, fill in
-the Samba machine IP address in the "Primary WINS Server" field of
-the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs
-in Windows 95 or Windows NT. To tell a Samba server the IP address
-of the WINS server add the following line to the [global] section of
-all smb.conf files :</P
-><P
-><B
-CLASS="COMMAND"
->wins server = >name or IP address<</B
-></P
-><P
->where >name or IP address< is either the DNS name of the WINS server
-machine or its IP address.</P
-><P
->Note that this line MUST NOT BE SET in the smb.conf file of the Samba
-server acting as the WINS server itself. If you set both the
-"<B
-CLASS="COMMAND"
->wins support = yes</B
->" option and the
-"<B
-CLASS="COMMAND"
->wins server = <name></B
->" option then
-nmbd will fail to start.</P
-><P
->There are two possible scenarios for setting up cross subnet browsing.
-The first details setting up cross subnet browsing on a network containing
-Windows 95, Samba and Windows NT machines that are not configured as
-part of a Windows NT Domain. The second details setting up cross subnet
-browsing on networks that contain NT Domains.</P
-></DIV
+NAME="IMPROVED-BROWSING"
+></A
+>Chapter 22. Improved browsing in samba</H1
><DIV
CLASS="SECT1"
-><HR><H2
+><H2
CLASS="SECT1"
><A
-NAME="AEN3171"
->20.6. Setting up Browsing in a WORKGROUP</A
+NAME="AEN3695"
+>22.1. Overview of browsing</A
></H2
><P
->To set up cross subnet browsing on a network containing machines
-in up to be in a WORKGROUP, not an NT Domain you need to set up one
-Samba server to be the Domain Master Browser (note that this is *NOT*
-the same as a Primary Domain Controller, although in an NT Domain the
-same machine plays both roles). The role of a Domain master browser is
-to collate the browse lists from local master browsers on all the
-subnets that have a machine participating in the workgroup. Without
-one machine configured as a domain master browser each subnet would
-be an isolated workgroup, unable to see any machines on any other
-subnet. It is the presense of a domain master browser that makes
-cross subnet browsing possible for a workgroup.</P
-><P
->In an WORKGROUP environment the domain master browser must be a
-Samba server, and there must only be one domain master browser per
-workgroup name. To set up a Samba server as a domain master browser,
-set the following option in the [global] section of the smb.conf file :</P
-><P
-><B
+>SMB networking provides a mechanism by which clients can access a list
+of machines in a network, a so-called <B
CLASS="COMMAND"
->domain master = yes</B
-></P
-><P
->The domain master browser should also preferrably be the local master
-browser for its own subnet. In order to achieve this set the following
-options in the [global] section of the smb.conf file :</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->domain master = yes
-local master = yes
-preferred master = yes
-os level = 65</PRE
-></P
-><P
->The domain master browser may be the same machine as the WINS
-server, if you require.</P
-><P
->Next, you should ensure that each of the subnets contains a
-machine that can act as a local master browser for the
-workgroup. Any MS Windows NT/2K/XP/2003 machine should be
-able to do this, as will Windows 9x machines (although these
-tend to get rebooted more often, so it's not such a good idea
-to use these). To make a Samba server a local master browser
-set the following options in the [global] section of the
-smb.conf file :</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
->domain master = no
-local master = yes
-preferred master = yes
-os level = 65</PRE
-></P
-><P
->Do not do this for more than one Samba server on each subnet,
-or they will war with each other over which is to be the local
-master browser.</P
-><P
->The "local master" parameter allows Samba to act as a local master
-browser. The "preferred master" causes nmbd to force a browser
-election on startup and the "os level" parameter sets Samba high
-enough so that it should win any browser elections.</P
-><P
->If you have an NT machine on the subnet that you wish to
-be the local master browser then you can disable Samba from
-becoming a local master browser by setting the following
-options in the [global] section of the smb.conf file :</P
+>browse list</B
+>. This list
+contains machines that are ready to offer file and/or print services
+to other machines within the network. Thus it does not include
+machines which aren't currently able to do server tasks. The browse
+list is heavily used by all SMB clients. Configuration of SMB
+browsing has been problematic for some Samba users, hence this
+document.</P
><P
-><PRE
-CLASS="PROGRAMLISTING"
->domain master = no
-local master = no
-preferred master = no
-os level = 0</PRE
-></P
+>MS Windows 2000 and later, as with Samba 3 and later, can be
+configured to not use NetBIOS over TCP/IP. When configured this way
+it is imperative that name resolution (using DNS/LDAP/ADS) be correctly
+configured and operative. Browsing will NOT work if name resolution
+from SMB machine names to IP addresses does not function correctly.</P
+><P
+>Where NetBIOS over TCP/IP is enabled use of a WINS server is highly
+recommended to aid the resolution of NetBIOS (SMB) names to IP addresses.
+WINS allows remote segment clients to obtain NetBIOS name_type information
+that can NOT be provided by any other means of name resolution.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3189"
->20.7. Setting up Browsing in a DOMAIN</A
+NAME="AEN3701"
+>22.2. Browsing support in samba</A
></H2
><P
->If you are adding Samba servers to a Windows NT Domain then
-you must not set up a Samba server as a domain master browser.
-By default, a Windows NT Primary Domain Controller for a Domain
-name is also the Domain master browser for that name, and many
-things will break if a Samba server registers the Domain master
-browser NetBIOS name (DOMAIN<1B>) with WINS instead of the PDC.</P
+>Samba facilitates browsing. The browsing is supported by nmbd
+and is also controlled by options in the smb.conf file (see smb.conf(5)).
+Samba can act as a local browse master for a workgroup and the ability
+for samba to support domain logons and scripts is now available.</P
><P
->For subnets other than the one containing the Windows NT PDC
-you may set up Samba servers as local master browsers as
-described. To make a Samba server a local master browser set
-the following options in the [global] section of the smb.conf
-file :</P
+>Samba can also act as a domain master browser for a workgroup. This
+means that it will collate lists from local browse masters into a
+wide area network server list. In order for browse clients to
+resolve the names they may find in this list, it is recommended that
+both samba and your clients use a WINS server.</P
+><P
+>Note that you should NOT set Samba to be the domain master for a
+workgroup that has the same name as an NT Domain: on each wide area
+network, you must only ever have one domain master browser per workgroup,
+regardless of whether it is NT, Samba or any other type of domain master
+that is providing this service.</P
+><DIV
+CLASS="NOTE"
><P
-><PRE
-CLASS="PROGRAMLISTING"
->domain master = no
-local master = yes
-preferred master = yes
-os level = 65</PRE
></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
->If you wish to have a Samba server fight the election with machines
-on the same subnet you may set the "os level" parameter to lower
-levels. By doing this you can tune the order of machines that
-will become local master browsers if they are running. For
-more details on this see the section "FORCING SAMBA TO BE THE MASTER"
-below.</P
+>Nmbd can be configured as a WINS server, but it is not
+necessary to specifically use samba as your WINS server. MS Windows
+NT4, Server or Advanced Server 2000 or 2003 can be configured as
+your WINS server. In a mixed NT/2000/2003 server and samba environment on
+a Wide Area Network, it is recommended that you use the Microsoft
+WINS server capabilities. In a samba-only environment, it is
+recommended that you use one and only one Samba server as your WINS server.</P
+></TD
+></TR
+></TABLE
+></DIV
><P
->If you have Windows NT machines that are members of the domain
-on all subnets, and you are sure they will always be running then
-you can disable Samba from taking part in browser elections and
-ever becoming a local master browser by setting following options
-in the [global] section of the smb.conf file :</P
+>To get browsing to work you need to run nmbd as usual, but will need
+to use the <B
+CLASS="COMMAND"
+>workgroup</B
+> option in <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>
+to control what workgroup Samba becomes a part of.</P
><P
-><B
+>Samba also has a useful option for a Samba server to offer itself for
+browsing on another subnet. It is recommended that this option is only
+used for 'unusual' purposes: announcements over the internet, for
+example. See <B
CLASS="COMMAND"
-> domain master = no
- local master = no
- preferred master = no
- os level = 0</B
-></P
+>remote announce</B
+> in the
+<TT
+CLASS="FILENAME"
+>smb.conf</TT
+> man page. </P
></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3199"
->20.8. Forcing samba to be the master</A
+NAME="AEN3714"
+>22.3. Problem resolution</A
></H2
><P
->Who becomes the "master browser" is determined by an election process
-using broadcasts. Each election packet contains a number of parameters
-which determine what precedence (bias) a host should have in the
-election. By default Samba uses a very low precedence and thus loses
-elections to just about anyone else.</P
-><P
->If you want Samba to win elections then just set the "os level" global
-option in smb.conf to a higher number. It defaults to 0. Using 34
-would make it win all elections over every other system (except other
-samba systems!)</P
-><P
->A "os level" of 2 would make it beat WfWg and Win95, but not MS Windows
-NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.</P
+>If something doesn't work then hopefully the log.nmb file will help
+you track down the problem. Try a debug level of 2 or 3 for finding
+problems. Also note that the current browse list usually gets stored
+in text form in a file called <TT
+CLASS="FILENAME"
+>browse.dat</TT
+>.</P
><P
->The maximum os level is 255</P
+>Note that if it doesn't work for you, then you should still be able to
+type the server name as <TT
+CLASS="FILENAME"
+>\\SERVER</TT
+> in filemanager then
+hit enter and filemanager should display the list of available shares.</P
><P
->If you want samba to force an election on startup, then set the
-"preferred master" global option in smb.conf to "yes". Samba will
-then have a slight advantage over other potential master browsers
-that are not preferred master browsers. Use this parameter with
-care, as if you have two hosts (whether they are windows 95 or NT or
-samba) on the same local subnet both set with "preferred master" to
-"yes", then periodically and continually they will force an election
-in order to become the local master browser.</P
+>Some people find browsing fails because they don't have the global
+<B
+CLASS="COMMAND"
+>guest account</B
+> set to a valid account. Remember that the
+IPC$ connection that lists the shares is done as guest, and thus you must
+have a valid guest account.</P
><P
->If you want samba to be a "domain master browser", then it is
-recommended that you also set "preferred master" to "yes", because
-samba will not become a domain master browser for the whole of your
-LAN or WAN if it is not also a local master browser on its own
-broadcast isolated subnet.</P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>MS Windows 2000 and upwards (as with Samba) can be configured to disallow
+anonymous (ie: Guest account) access to the IPC$ share. In that case, the
+MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the
+name of the currently logged in user to query the IPC$ share. MS Windows
+9X clients are not able to do this and thus will NOT be able to browse
+server resources.</I
+></SPAN
+></P
><P
->It is possible to configure two samba servers to attempt to become
-the domain master browser for a domain. The first server that comes
-up will be the domain master browser. All other samba servers will
-attempt to become the domain master browser every 5 minutes. They
-will find that another samba server is already the domain master
-browser and will fail. This provides automatic redundancy, should
-the current domain master browser fail.</P
+>The other big problem people have is that their broadcast address,
+netmask or IP address is wrong (specified with the "interfaces" option
+in smb.conf)</P
></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3208"
->20.9. Making samba the domain master</A
+NAME="AEN3725"
+>22.4. Browsing across subnets</A
></H2
><P
->The domain master is responsible for collating the browse lists of
-multiple subnets so that browsing can occur between subnets. You can
-make samba act as the domain master by setting "domain master = yes"
-in smb.conf. By default it will not be a domain master.</P
-><P
->Note that you should NOT set Samba to be the domain master for a
-workgroup that has the same name as an NT Domain.</P
-><P
->When samba is the domain master and the master browser it will listen
-for master announcements (made roughly every twelve minutes) from local
-master browsers on other subnets and then contact them to synchronise
-browse lists.</P
-><P
->If you want samba to be the domain master then I suggest you also set
-the "os level" high enough to make sure it wins elections, and set
-"preferred master" to "yes", to get samba to force an election on
-startup.</P
-><P
->Note that all your servers (including samba) and clients should be
-using a WINS server to resolve NetBIOS names. If your clients are only
-using broadcasting to resolve NetBIOS names, then two things will occur:</P
+>Since the release of Samba 1.9.17(alpha1) Samba has been
+updated to enable it to support the replication of browse lists
+across subnet boundaries. New code and options have been added to
+achieve this. This section describes how to set this feature up
+in different settings.</P
><P
-></P
-><OL
-TYPE="1"
-><LI
+>To see browse lists that span TCP/IP subnets (ie. networks separated
+by routers that don't pass broadcast traffic) you must set up at least
+one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing
+NetBIOS name to IP address translation to be done by doing a direct
+query of the WINS server. This is done via a directed UDP packet on
+port 137 to the WINS server machine. The reason for a WINS server is
+that by default, all NetBIOS name to IP address translation is done
+by broadcasts from the querying machine. This means that machines
+on one subnet will not be able to resolve the names of machines on
+another subnet without using a WINS server.</P
><P
-> your local master browsers will be unable to find a domain master
- browser, as it will only be looking on the local subnet.
- </P
-></LI
-><LI
+>Remember, for browsing across subnets to work correctly, all machines,
+be they Windows 95, Windows NT, or Samba servers must have the IP address
+of a WINS server given to them by a DHCP server, or by manual configuration
+(for Win95 and WinNT, this is in the TCP/IP Properties, under Network
+settings) for Samba this is in the smb.conf file.</P
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3730"
+>22.4.1. How does cross subnet browsing work ?</A
+></H3
><P
-> if a client happens to get hold of a domain-wide browse list, and
- a user attempts to access a host in that list, it will be unable to
- resolve the NetBIOS name of that host.
- </P
-></LI
-></OL
+>Cross subnet browsing is a complicated dance, containing multiple
+moving parts. It has taken Microsoft several years to get the code
+that achieves this correct, and Samba lags behind in some areas.
+Samba is capable of cross subnet browsing when configured correctly.</P
><P
->If, however, both samba and your clients are using a WINS server, then:</P
+>Consider a network set up as follows :</P
><P
+><PRE
+CLASS="PROGRAMLISTING"
+> (DMB)
+ N1_A N1_B N1_C N1_D N1_E
+ | | | | |
+ -------------------------------------------------------
+ | subnet 1 |
+ +---+ +---+
+ |R1 | Router 1 Router 2 |R2 |
+ +---+ +---+
+ | |
+ | subnet 2 subnet 3 |
+ -------------------------- ------------------------------------
+ | | | | | | | |
+ N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D
+ (WINS)</PRE
></P
-><OL
-TYPE="1"
-><LI
-><P
-> your local master browsers will contact the WINS server and, as long as
- samba has registered that it is a domain master browser with the WINS
- server, your local master browser will receive samba's ip address
- as its domain master browser.
- </P
-></LI
-><LI
><P
-> when a client receives a domain-wide browse list, and a user attempts
- to access a host in that list, it will contact the WINS server to
- resolve the NetBIOS name of that host. as long as that host has
- registered its NetBIOS name with the same WINS server, the user will
- be able to see that host.
- </P
-></LI
-></OL
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3226"
->20.10. Note about broadcast addresses</A
-></H2
+>Consisting of 3 subnets (1, 2, 3) connected by two routers
+(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines
+on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume
+for the moment that all these machines are configured to be in the
+same workgroup (for simplicities sake). Machine N1_C on subnet 1
+is configured as Domain Master Browser (ie. it will collate the
+browse lists for the workgroup). Machine N2_D is configured as
+WINS server and all the other machines are configured to register
+their NetBIOS names with it.</P
><P
->If your network uses a "0" based broadcast address (for example if it
-ends in a 0) then you will strike problems. Windows for Workgroups
-does not seem to support a 0's broadcast and you will probably find
-that browsing and name lookups won't work.</P
-></DIV
-><DIV
-CLASS="SECT1"
-><HR><H2
-CLASS="SECT1"
-><A
-NAME="AEN3229"
->20.11. Multiple interfaces</A
-></H2
+>As all these machines are booted up, elections for master browsers
+will take place on each of the three subnets. Assume that machine
+N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on
+subnet 3 - these machines are known as local master browsers for
+their particular subnet. N1_C has an advantage in winning as the
+local master browser on subnet 1 as it is set up as Domain Master
+Browser.</P
><P
->Samba now supports machines with multiple network interfaces. If you
-have multiple interfaces then you will need to use the "interfaces"
-option in smb.conf to configure them. See smb.conf(5) for details.</P
-></DIV
-></DIV
-><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="MSDFS"
-></A
->Chapter 21. Hosting a Microsoft Distributed File System tree on Samba</H1
-><DIV
-CLASS="SECT1"
-><H2
-CLASS="SECT1"
-><A
-NAME="AEN3243"
->21.1. Instructions</A
-></H2
+>On each of the three networks, machines that are configured to
+offer sharing services will broadcast that they are offering
+these services. The local master browser on each subnet will
+receive these broadcasts and keep a record of the fact that
+the machine is offering a service. This list of records is
+the basis of the browse list. For this case, assume that
+all the machines are configured to offer services so all machines
+will be on the browse list.</P
><P
->The Distributed File System (or Dfs) provides a means of
- separating the logical view of files and directories that users
- see from the actual physical locations of these resources on the
- network. It allows for higher availability, smoother storage expansion,
- load balancing etc. For more information about Dfs, refer to <A
-HREF="http://www.microsoft.com/NTServer/nts/downloads/winfeatures/NTSDistrFile/AdminGuide.asp"
-TARGET="_top"
-> Microsoft documentation</A
->. </P
+>For each network, the local master browser on that network is
+considered 'authoritative' for all the names it receives via
+local broadcast. This is because a machine seen by the local
+master browser via a local broadcast must be on the same
+network as the local master browser and thus is a 'trusted'
+and 'verifiable' resource. Machines on other networks that
+the local master browsers learn about when collating their
+browse lists have not been directly seen - these records are
+called 'non-authoritative'.</P
><P
->This document explains how to host a Dfs tree on a Unix
- machine (for Dfs-aware clients to browse) using Samba.</P
+>At this point the browse lists look as follows (these are
+the machines you would see in your network neighborhood if
+you looked in it on a particular network right now).</P
><P
->To enable SMB-based DFS for Samba, configure it with the
- <VAR
-CLASS="PARAMETER"
->--with-msdfs</VAR
-> option. Once built, a
- Samba server can be made a Dfs server by setting the global
- boolean <A
-HREF="smb.conf.5.html#HOSTMSDFS"
-TARGET="_top"
-><VAR
-CLASS="PARAMETER"
-> host msdfs</VAR
-></A
-> parameter in the <TT
-CLASS="FILENAME"
->smb.conf
- </TT
-> file. You designate a share as a Dfs root using the share
- level boolean <A
-HREF="smb.conf.5.html#MSDFSROOT"
-TARGET="_top"
-><VAR
-CLASS="PARAMETER"
-> msdfs root</VAR
-></A
-> parameter. A Dfs root directory on
- Samba hosts Dfs links in the form of symbolic links that point
- to other servers. For example, a symbolic link
- <TT
-CLASS="FILENAME"
->junction->msdfs:storage1\share1</TT
-> in
- the share directory acts as the Dfs junction. When Dfs-aware
- clients attempt to access the junction link, they are redirected
- to the storage location (in this case, \\storage1\share1).</P
+><PRE
+CLASS="PROGRAMLISTING"
+>Subnet Browse Master List
+------ ------------- ----
+Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E
+
+Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
+
+Subnet3 N3_D N3_A, N3_B, N3_C, N3_D</PRE
+></P
><P
->Dfs trees on Samba work with all Dfs-aware clients ranging
- from Windows 95 to 2000.</P
+>Note that at this point all the subnets are separate, no
+machine is seen across any of the subnets.</P
><P
->Here's an example of setting up a Dfs tree on a Samba
- server.</P
+>Now examine subnet 2. As soon as N2_B has become the local
+master browser it looks for a Domain master browser to synchronize
+its browse list with. It does this by querying the WINS server
+(N2_D) for the IP address associated with the NetBIOS name
+WORKGROUP>1B<. This name was registerd by the Domain master
+browser (N1_C) with the WINS server as soon as it was booted.</P
+><P
+>Once N2_B knows the address of the Domain master browser it
+tells it that is the local master browser for subnet 2 by
+sending a MasterAnnouncement packet as a UDP port 138 packet.
+It then synchronizes with it by doing a NetServerEnum2 call. This
+tells the Domain Master Browser to send it all the server
+names it knows about. Once the domain master browser receives
+the MasterAnnouncement packet it schedules a synchronization
+request to the sender of that packet. After both synchronizations
+are done the browse lists look like :</P
><P
><PRE
CLASS="PROGRAMLISTING"
-># The smb.conf file:
-[global]
- netbios name = SAMBA
- host msdfs = yes
+>Subnet Browse Master List
+------ ------------- ----
+Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
+ N2_A(*), N2_B(*), N2_C(*), N2_D(*)
-[dfs]
- path = /export/dfsroot
- msdfs root = yes
- </PRE
+Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
+ N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
+
+Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
+
+Servers with a (*) after them are non-authoritative names.</PRE
></P
><P
->In the /export/dfsroot directory we set up our dfs links to
- other servers on the network.</P
+>At this point users looking in their network neighborhood on
+subnets 1 or 2 will see all the servers on both, users on
+subnet 3 will still only see the servers on their own subnet.</P
><P
-><SAMP
-CLASS="PROMPT"
->root# </SAMP
-><KBD
-CLASS="USERINPUT"
->cd /export/dfsroot</KBD
-></P
+>The same sequence of events that occured for N2_B now occurs
+for the local master browser on subnet 3 (N3_D). When it
+synchronizes browse lists with the domain master browser (N1_A)
+it gets both the server entries on subnet 1, and those on
+subnet 2. After N3_D has synchronized with N1_C and vica-versa
+the browse lists look like.</P
><P
-><SAMP
-CLASS="PROMPT"
->root# </SAMP
-><KBD
-CLASS="USERINPUT"
->chown root /export/dfsroot</KBD
+><PRE
+CLASS="PROGRAMLISTING"
+>Subnet Browse Master List
+------ ------------- ----
+Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
+ N2_A(*), N2_B(*), N2_C(*), N2_D(*),
+ N3_A(*), N3_B(*), N3_C(*), N3_D(*)
+
+Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
+ N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
+
+Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
+ N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
+ N2_A(*), N2_B(*), N2_C(*), N2_D(*)
+
+Servers with a (*) after them are non-authoritative names.</PRE
></P
><P
-><SAMP
-CLASS="PROMPT"
->root# </SAMP
-><KBD
-CLASS="USERINPUT"
->chmod 755 /export/dfsroot</KBD
-></P
+>At this point users looking in their network neighborhood on
+subnets 1 or 3 will see all the servers on all sunbets, users on
+subnet 2 will still only see the servers on subnets 1 and 2, but not 3.</P
><P
-><SAMP
-CLASS="PROMPT"
->root# </SAMP
-><KBD
-CLASS="USERINPUT"
->ln -s msdfs:storageA\\shareA linka</KBD
-></P
+>Finally, the local master browser for subnet 2 (N2_B) will sync again
+with the domain master browser (N1_C) and will recieve the missing
+server entries. Finally - and as a steady state (if no machines
+are removed or shut off) the browse lists will look like :</P
><P
-><SAMP
-CLASS="PROMPT"
->root# </SAMP
-><KBD
-CLASS="USERINPUT"
->ln -s msdfs:serverB\\share,serverC\\share linkb</KBD
+><PRE
+CLASS="PROGRAMLISTING"
+>Subnet Browse Master List
+------ ------------- ----
+Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E,
+ N2_A(*), N2_B(*), N2_C(*), N2_D(*),
+ N3_A(*), N3_B(*), N3_C(*), N3_D(*)
+
+Subnet2 N2_B N2_A, N2_B, N2_C, N2_D
+ N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*)
+ N3_A(*), N3_B(*), N3_C(*), N3_D(*)
+
+Subnet3 N3_D N3_A, N3_B, N3_C, N3_D
+ N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*),
+ N2_A(*), N2_B(*), N2_C(*), N2_D(*)
+
+Servers with a (*) after them are non-authoritative names.</PRE
></P
><P
->You should set up the permissions and ownership of
- the directory acting as the Dfs root such that only designated
- users can create, delete or modify the msdfs links. Also note
- that symlink names should be all lowercase. This limitation exists
- to have Samba avoid trying all the case combinations to get at
- the link name. Finally set up the symbolic links to point to the
- network shares you want, and start Samba.</P
+>Synchronizations between the domain master browser and local
+master browsers will continue to occur, but this should be a
+steady state situation.</P
><P
->Users on Dfs-aware clients can now browse the Dfs tree
- on the Samba server at \\samba\dfs. Accessing
- links linka or linkb (which appear as directories to the client)
- takes users directly to the appropriate shares on the network.</P
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN3278"
->21.1.1. Notes</A
-></H3
+>If either router R1 or R2 fails the following will occur:</P
><P
></P
-><UL
+><OL
+TYPE="1"
><LI
><P
->Windows clients need to be rebooted
- if a previously mounted non-dfs share is made a dfs
- root or vice versa. A better way is to introduce a
- new share and make it the dfs root.</P
+> Names of computers on each side of the inaccessible network fragments
+ will be maintained for as long as 36 minutes, in the network neighbourhood
+ lists.
+ </P
></LI
><LI
><P
->Currently there's a restriction that msdfs
- symlink names should all be lowercase.</P
+> Attempts to connect to these inaccessible computers will fail, but the
+ names will not be removed from the network neighbourhood lists.
+ </P
></LI
><LI
><P
->For security purposes, the directory
- acting as the root of the Dfs tree should have ownership
- and permissions set so that only designated users can
- modify the symbolic links in the directory.</P
+> If one of the fragments is cut off from the WINS server, it will only
+ be able to access servers on its local subnet, by using subnet-isolated
+ broadcast NetBIOS name resolution. The effects are similar to that of
+ losing access to a DNS server.
+ </P
></LI
-></UL
-></DIV
+></OL
></DIV
></DIV
><DIV
-CLASS="CHAPTER"
-><HR><H1
-><A
-NAME="VFS"
-></A
->Chapter 22. Stackable VFS modules</H1
-><DIV
CLASS="SECT1"
-><H2
+><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3302"
->22.1. Introduction and configuration</A
+NAME="AEN3765"
+>22.5. Setting up a WINS server</A
></H2
><P
->Since samba 3.0, samba supports stackable VFS(Virtual File System) modules.
-Samba passes each request to access the unix file system thru the loaded VFS modules.
-This chapter covers all the modules that come with the samba source and references to
-some external modules.</P
+>Either a Samba machine or a Windows NT Server machine may be set up
+as a WINS server. To set a Samba machine to be a WINS server you must
+add the following option to the smb.conf file on the selected machine :
+in the [globals] section add the line </P
><P
->You may have problems to compile these modules, as shared libraries are
-compiled and linked in different ways on different systems.
-They currently have been tested against GNU/linux and IRIX.</P
+><B
+CLASS="COMMAND"
+> wins support = yes</B
+></P
><P
->To use the VFS modules, create a share similar to the one below. The
-important parameter is the <B
+>Versions of Samba prior to 1.9.17 had this parameter default to
+yes. If you have any older versions of Samba on your network it is
+strongly suggested you upgrade to a recent version, or at the very
+least set the parameter to 'no' on all these machines.</P
+><P
+>Machines with <B
CLASS="COMMAND"
->vfs object</B
-> parameter which must point to
-the exact pathname of the shared library objects. For example, to log all access
-to files and use a recycle bin:
-
-<PRE
-CLASS="PROGRAMLISTING"
-> [audit]
- comment = Audited /data directory
- path = /data
- vfs object = /path/to/audit.so /path/to/recycle.so
- writeable = yes
- browseable = yes</PRE
+>wins support = yes</B
+> will keep a list of
+all NetBIOS names registered with them, acting as a DNS for NetBIOS names.</P
+><P
+>You should set up only ONE wins server. Do NOT set the
+<B
+CLASS="COMMAND"
+>wins support = yes</B
+> option on more than one Samba
+server.</P
+><P
+>To set up a Windows NT Server as a WINS server you need to set up
+the WINS service - see your NT documentation for details. Note that
+Windows NT WINS Servers can replicate to each other, allowing more
+than one to be set up in a complex subnet environment. As Microsoft
+refuse to document these replication protocols Samba cannot currently
+participate in these replications. It is possible in the future that
+a Samba->Samba WINS replication protocol may be defined, in which
+case more than one Samba machine could be set up as a WINS server
+but currently only one Samba server should have the
+<B
+CLASS="COMMAND"
+>wins support = yes</B
+> parameter set.</P
+><P
+>After the WINS server has been configured you must ensure that all
+machines participating on the network are configured with the address
+of this WINS server. If your WINS server is a Samba machine, fill in
+the Samba machine IP address in the "Primary WINS Server" field of
+the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs
+in Windows 95 or Windows NT. To tell a Samba server the IP address
+of the WINS server add the following line to the [global] section of
+all smb.conf files :</P
+><P
+><B
+CLASS="COMMAND"
+>wins server = >name or IP address<</B
></P
><P
->The modules are used in the order they are specified.</P
+>where >name or IP address< is either the DNS name of the WINS server
+machine or its IP address.</P
><P
->Further documentation on writing VFS modules for Samba can be found in
-the Samba Developers Guide.</P
+>Note that this line MUST NOT BE SET in the smb.conf file of the Samba
+server acting as the WINS server itself. If you set both the
+<B
+CLASS="COMMAND"
+>wins support = yes</B
+> option and the
+<B
+CLASS="COMMAND"
+>wins server = <name></B
+> option then
+nmbd will fail to start.</P
+><P
+>There are two possible scenarios for setting up cross subnet browsing.
+The first details setting up cross subnet browsing on a network containing
+Windows 95, Samba and Windows NT machines that are not configured as
+part of a Windows NT Domain. The second details setting up cross subnet
+browsing on networks that contain NT Domains.</P
></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3311"
->22.2. Included modules</A
+NAME="AEN3785"
+>22.6. Setting up Browsing in a WORKGROUP</A
></H2
-><DIV
-CLASS="SECT2"
-><H3
-CLASS="SECT2"
-><A
-NAME="AEN3313"
->22.2.1. audit</A
-></H3
><P
->A simple module to audit file access to the syslog
-facility. The following operations are logged:
-<P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->share</TD
-></TR
-><TR
-><TD
->connect/disconnect</TD
-></TR
-><TR
-><TD
->directory opens/create/remove</TD
-></TR
-><TR
-><TD
->file open/close/rename/unlink/chmod</TD
-></TR
-></TBODY
-></TABLE
+>To set up cross subnet browsing on a network containing machines
+in up to be in a WORKGROUP, not an NT Domain you need to set up one
+Samba server to be the Domain Master Browser (note that this is *NOT*
+the same as a Primary Domain Controller, although in an NT Domain the
+same machine plays both roles). The role of a Domain master browser is
+to collate the browse lists from local master browsers on all the
+subnets that have a machine participating in the workgroup. Without
+one machine configured as a domain master browser each subnet would
+be an isolated workgroup, unable to see any machines on any other
+subnet. It is the presense of a domain master browser that makes
+cross subnet browsing possible for a workgroup.</P
><P
+>In an WORKGROUP environment the domain master browser must be a
+Samba server, and there must only be one domain master browser per
+workgroup name. To set up a Samba server as a domain master browser,
+set the following option in the [global] section of the smb.conf file :</P
+><P
+><B
+CLASS="COMMAND"
+>domain master = yes</B
></P
-></P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN3321"
->22.2.2. recycle</A
-></H3
><P
->A recycle-bin like modules. When used any unlink call
-will be intercepted and files moved to the recycle
-directory instead of beeing deleted.</P
+>The domain master browser should also preferrably be the local master
+browser for its own subnet. In order to achieve this set the following
+options in the [global] section of the smb.conf file :</P
><P
->Supported options:
-<P
+><PRE
+CLASS="PROGRAMLISTING"
+>domain master = yes
+local master = yes
+preferred master = yes
+os level = 65</PRE
></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->vfs_recycle_bin:repository</DT
-><DD
-><P
->FIXME</P
-></DD
-><DT
->vfs_recycle_bin:keeptree</DT
-><DD
><P
->FIXME</P
-></DD
-><DT
->vfs_recycle_bin:versions</DT
-><DD
+>The domain master browser may be the same machine as the WINS
+server, if you require.</P
><P
->FIXME</P
-></DD
-><DT
->vfs_recycle_bin:touch</DT
-><DD
+>Next, you should ensure that each of the subnets contains a
+machine that can act as a local master browser for the
+workgroup. Any MS Windows NT/2K/XP/2003 machine should be
+able to do this, as will Windows 9x machines (although these
+tend to get rebooted more often, so it's not such a good idea
+to use these). To make a Samba server a local master browser
+set the following options in the [global] section of the
+smb.conf file :</P
><P
->FIXME</P
-></DD
-><DT
->vfs_recycle_bin:maxsize</DT
-><DD
+><PRE
+CLASS="PROGRAMLISTING"
+>domain master = no
+local master = yes
+preferred master = yes
+os level = 65</PRE
+></P
><P
->FIXME</P
-></DD
-><DT
->vfs_recycle_bin:exclude</DT
-><DD
+>Do not do this for more than one Samba server on each subnet,
+or they will war with each other over which is to be the local
+master browser.</P
><P
->FIXME</P
-></DD
-><DT
->vfs_recycle_bin:exclude_dir</DT
-><DD
+>The <B
+CLASS="COMMAND"
+>local master</B
+> parameter allows Samba to act as a
+local master browser. The <B
+CLASS="COMMAND"
+>preferred master</B
+> causes nmbd
+to force a browser election on startup and the <B
+CLASS="COMMAND"
+>os level</B
+>
+parameter sets Samba high enough so that it should win any browser elections.</P
><P
->FIXME</P
-></DD
-><DT
->vfs_recycle_bin:noversions</DT
-><DD
+>If you have an NT machine on the subnet that you wish to
+be the local master browser then you can disable Samba from
+becoming a local master browser by setting the following
+options in the <B
+CLASS="COMMAND"
+>[global]</B
+> section of the
+<TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file :</P
><P
->FIXME</P
-></DD
-></DL
-></DIV
+><PRE
+CLASS="PROGRAMLISTING"
+>domain master = no
+local master = no
+preferred master = no
+os level = 0</PRE
></P
></DIV
><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
><A
-NAME="AEN3358"
->22.2.3. netatalk</A
-></H3
+NAME="AEN3808"
+>22.7. Setting up Browsing in a DOMAIN</A
+></H2
><P
->A netatalk module, that will ease co-existence of samba and
-netatalk file sharing services.</P
+>If you are adding Samba servers to a Windows NT Domain then
+you must not set up a Samba server as a domain master browser.
+By default, a Windows NT Primary Domain Controller for a Domain
+name is also the Domain master browser for that name, and many
+things will break if a Samba server registers the Domain master
+browser NetBIOS name (<VAR
+CLASS="REPLACEABLE"
+>DOMAIN</VAR
+><1B>)
+with WINS instead of the PDC.</P
><P
->Advantages compared to the old netatalk module:
-<P
-></P
-><TABLE
-BORDER="0"
-><TBODY
-><TR
-><TD
->it doesn't care about creating of .AppleDouble forks, just keeps ones in sync</TD
-></TR
-><TR
-><TD
->if share in smb.conf doesn't contain .AppleDouble item in hide or veto list, it will be added automatically</TD
-></TR
-></TBODY
-></TABLE
+>For subnets other than the one containing the Windows NT PDC
+you may set up Samba servers as local master browsers as
+described. To make a Samba server a local master browser set
+the following options in the <B
+CLASS="COMMAND"
+>[global]</B
+> section
+of the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> file :</P
><P
+><PRE
+CLASS="PROGRAMLISTING"
+>domain master = no
+local master = yes
+preferred master = yes
+os level = 65</PRE
></P
+><P
+>If you wish to have a Samba server fight the election with machines
+on the same subnet you may set the <B
+CLASS="COMMAND"
+>os level</B
+> parameter
+to lower levels. By doing this you can tune the order of machines that
+will become local master browsers if they are running. For
+more details on this see the section <A
+HREF="#BROWSE-FORCE-MASTER"
+>Forcing samba to be the master browser</A
+>
+below.</P
+><P
+>If you have Windows NT machines that are members of the domain
+on all subnets, and you are sure they will always be running then
+you can disable Samba from taking part in browser elections and
+ever becoming a local master browser by setting following options
+in the <B
+CLASS="COMMAND"
+>[global]</B
+> section of the <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>
+file :</P
+><P
+><B
+CLASS="COMMAND"
+> domain master = no
+ local master = no
+ preferred master = no
+ os level = 0</B
></P
></DIV
-></DIV
><DIV
CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3365"
->22.3. VFS modules available elsewhere</A
+NAME="BROWSE-FORCE-MASTER"
+>22.8. Forcing samba to be the master</A
></H2
><P
->This section contains a listing of various other VFS modules that
-have been posted but don't currently reside in the Samba CVS
-tree for one reason ot another (e.g. it is easy for the maintainer
-to have his or her own CVS tree).</P
+>Who becomes the <B
+CLASS="COMMAND"
+>master browser</B
+> is determined by an election
+process using broadcasts. Each election packet contains a number of parameters
+which determine what precedence (bias) a host should have in the
+election. By default Samba uses a very low precedence and thus loses
+elections to just about anyone else.</P
><P
->No statemets about the stability or functionality any module
-should be implied due to its presence here.</P
+>If you want Samba to win elections then just set the <B
+CLASS="COMMAND"
+>os level</B
+> global
+option in <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> to a higher number. It defaults to 0. Using 34
+would make it win all elections over every other system (except other
+samba systems!)</P
+><P
+>A <B
+CLASS="COMMAND"
+>os level</B
+> of 2 would make it beat WfWg and Win95, but not MS Windows
+NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32.</P
+><P
+>The maximum os level is 255</P
+><P
+>If you want samba to force an election on startup, then set the
+<B
+CLASS="COMMAND"
+>preferred master</B
+> global option in <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> to "yes". Samba will
+then have a slight advantage over other potential master browsers
+that are not preferred master browsers. Use this parameter with
+care, as if you have two hosts (whether they are windows 95 or NT or
+samba) on the same local subnet both set with <B
+CLASS="COMMAND"
+>preferred master</B
+> to
+"yes", then periodically and continually they will force an election
+in order to become the local master browser.</P
+><P
+>If you want samba to be a <B
+CLASS="COMMAND"
+>domain master browser</B
+>, then it is
+recommended that you also set <B
+CLASS="COMMAND"
+>preferred master</B
+> to "yes", because
+samba will not become a domain master browser for the whole of your
+LAN or WAN if it is not also a local master browser on its own
+broadcast isolated subnet.</P
+><P
+>It is possible to configure two samba servers to attempt to become
+the domain master browser for a domain. The first server that comes
+up will be the domain master browser. All other samba servers will
+attempt to become the domain master browser every 5 minutes. They
+will find that another samba server is already the domain master
+browser and will fail. This provides automatic redundancy, should
+the current domain master browser fail.</P
+></DIV
><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
><A
-NAME="AEN3369"
->22.3.1. DatabaseFS</A
-></H3
+NAME="AEN3843"
+>22.9. Making samba the domain master</A
+></H2
+><P
+>The domain master is responsible for collating the browse lists of
+multiple subnets so that browsing can occur between subnets. You can
+make samba act as the domain master by setting <B
+CLASS="COMMAND"
+>domain master = yes</B
+>
+in <TT
+CLASS="FILENAME"
+>smb.conf</TT
+>. By default it will not be a domain master.</P
+><P
+>Note that you should NOT set Samba to be the domain master for a
+workgroup that has the same name as an NT Domain.</P
+><P
+>When samba is the domain master and the master browser it will listen
+for master announcements (made roughly every twelve minutes) from local
+master browsers on other subnets and then contact them to synchronise
+browse lists.</P
+><P
+>If you want samba to be the domain master then I suggest you also set
+the <B
+CLASS="COMMAND"
+>os level</B
+> high enough to make sure it wins elections, and set
+<B
+CLASS="COMMAND"
+>preferred master</B
+> to "yes", to get samba to force an election on
+startup.</P
+><P
+>Note that all your servers (including samba) and clients should be
+using a WINS server to resolve NetBIOS names. If your clients are only
+using broadcasting to resolve NetBIOS names, then two things will occur:</P
><P
->URL: <A
-HREF="http://www.css.tayloru.edu/~elorimer/databasefs/index.php"
-TARGET="_top"
->http://www.css.tayloru.edu/~elorimer/databasefs/index.php</A
></P
+><OL
+TYPE="1"
+><LI
><P
->By <A
-HREF="mailto:elorimer@css.tayloru.edu"
-TARGET="_top"
->Eric Lorimer</A
->.</P
+> your local master browsers will be unable to find a domain master
+ browser, as it will only be looking on the local subnet.
+ </P
+></LI
+><LI
><P
->I have created a VFS module which implements a fairly complete read-only
-filesystem. It presents information from a database as a filesystem in
-a modular and generic way to allow different databases to be used
-(originally designed for organizing MP3s under directories such as
-"Artists," "Song Keywords," etc... I have since applied it to a student
-roster database very easily). The directory structure is stored in the
-database itself and the module makes no assumptions about the database
-structure beyond the table it requires to run.</P
+> if a client happens to get hold of a domain-wide browse list, and
+ a user attempts to access a host in that list, it will be unable to
+ resolve the NetBIOS name of that host.
+ </P
+></LI
+></OL
><P
->Any feedback would be appreciated: comments, suggestions, patches,
-etc... If nothing else, hopefully it might prove useful for someone
-else who wishes to create a virtual filesystem.</P
+>If, however, both samba and your clients are using a WINS server, then:</P
+><P
+></P
+><OL
+TYPE="1"
+><LI
+><P
+> your local master browsers will contact the WINS server and, as long as
+ samba has registered that it is a domain master browser with the WINS
+ server, your local master browser will receive samba's ip address
+ as its domain master browser.
+ </P
+></LI
+><LI
+><P
+> when a client receives a domain-wide browse list, and a user attempts
+ to access a host in that list, it will contact the WINS server to
+ resolve the NetBIOS name of that host. as long as that host has
+ registered its NetBIOS name with the same WINS server, the user will
+ be able to see that host.
+ </P
+></LI
+></OL
></DIV
><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
><A
-NAME="AEN3377"
->22.3.2. vscan</A
-></H3
-><P
->URL: <A
-HREF="http://www.openantivirus.org/"
-TARGET="_top"
->http://www.openantivirus.org/</A
-></P
+NAME="AEN3865"
+>22.10. Note about broadcast addresses</A
+></H2
><P
->samba-vscan is a proof-of-concept module for Samba, which
-uses the VFS (virtual file system) features of Samba 2.2.x/3.0
-alphaX. Of couse, Samba has to be compiled with VFS support.
-samba-vscan supports various virus scanners and is maintained
-by Rainer Link.</P
+>If your network uses a "0" based broadcast address (for example if it
+ends in a 0) then you will strike problems. Windows for Workgroups
+does not seem to support a 0's broadcast and you will probably find
+that browsing and name lookups won't work.</P
></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN3868"
+>22.11. Multiple interfaces</A
+></H2
+><P
+>Samba now supports machines with multiple network interfaces. If you
+have multiple interfaces then you will need to use the <B
+CLASS="COMMAND"
+>interfaces</B
+>
+option in smb.conf to configure them. See <TT
+CLASS="FILENAME"
+>smb.conf(5)</TT
+> for details.</P
></DIV
></DIV
><DIV
@@ -16659,7 +18910,7 @@ CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN3391"
+NAME="AEN3884"
>23.1. Introduction</A
></H2
><P
@@ -16672,7 +18923,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3394"
+NAME="AEN3887"
>23.2. Using host based protection</A
></H2
><P
@@ -16704,7 +18955,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3401"
+NAME="AEN3894"
>23.3. Using interface protection</A
></H2
><P
@@ -16740,7 +18991,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3410"
+NAME="AEN3903"
>23.4. Using a firewall</A
></H2
><P
@@ -16770,7 +19021,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3417"
+NAME="AEN3910"
>23.5. Using a IPC$ share deny</A
></H2
><P
@@ -16809,7 +19060,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3426"
+NAME="AEN3919"
>23.6. Upgrading Samba</A
></H2
><P
@@ -16831,7 +19082,7 @@ CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN3440"
+NAME="AEN3933"
>24.1. What are charsets and unicode?</A
></H2
><P
@@ -16881,7 +19132,7 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3449"
+NAME="AEN3942"
>24.2. Samba and charsets</A
></H2
><P
@@ -16958,100 +19209,186 @@ CLASS="TOC"
></DT
><DT
>25. <A
+HREF="#SWAT"
+>SWAT - The Samba Web Admininistration Tool</A
+></DT
+><DD
+><DL
+><DT
+>25.1. <A
+HREF="#AEN3976"
+>SWAT Features and Benefits</A
+></DT
+><DD
+><DL
+><DT
+>25.1.1. <A
+HREF="#AEN3979"
+>The SWAT Home Page</A
+></DT
+><DT
+>25.1.2. <A
+HREF="#AEN3982"
+>Global Settings</A
+></DT
+><DT
+>25.1.3. <A
+HREF="#AEN3985"
+>The SWAT Wizard</A
+></DT
+><DT
+>25.1.4. <A
+HREF="#AEN3988"
+>Share Settings</A
+></DT
+><DT
+>25.1.5. <A
+HREF="#AEN3991"
+>Printing Settings</A
+></DT
+><DT
+>25.1.6. <A
+HREF="#AEN3994"
+>The Status Page</A
+></DT
+><DT
+>25.1.7. <A
+HREF="#AEN3997"
+>The Password Change Page</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>26. <A
+HREF="#NT4MIGRATION"
+>Migration from NT4 PDC to Samba-3 PDC</A
+></DT
+><DD
+><DL
+><DT
+>26.1. <A
+HREF="#AEN4012"
+>Planning and Getting Started</A
+></DT
+><DD
+><DL
+><DT
+>26.1.1. <A
+HREF="#AEN4015"
+>Objectives</A
+></DT
+><DT
+>26.1.2. <A
+HREF="#AEN4018"
+>Steps In Migration Process</A
+></DT
+></DL
+></DD
+><DT
+>26.2. <A
+HREF="#AEN4021"
+>Managing Samba-3 Domain Control</A
+></DT
+></DL
+></DD
+><DT
+>27. <A
HREF="#SPEED"
>Samba performance issues</A
></DT
><DD
><DL
><DT
->25.1. <A
-HREF="#AEN3486"
+>27.1. <A
+HREF="#AEN4041"
>Comparisons</A
></DT
><DT
->25.2. <A
-HREF="#AEN3492"
+>27.2. <A
+HREF="#AEN4047"
>Socket options</A
></DT
><DT
->25.3. <A
-HREF="#AEN3499"
+>27.3. <A
+HREF="#AEN4054"
>Read size</A
></DT
><DT
->25.4. <A
-HREF="#AEN3504"
+>27.4. <A
+HREF="#AEN4059"
>Max xmit</A
></DT
><DT
->25.5. <A
-HREF="#AEN3509"
+>27.5. <A
+HREF="#AEN4064"
>Log level</A
></DT
><DT
->25.6. <A
-HREF="#AEN3512"
+>27.6. <A
+HREF="#AEN4067"
>Read raw</A
></DT
><DT
->25.7. <A
-HREF="#AEN3517"
+>27.7. <A
+HREF="#AEN4072"
>Write raw</A
></DT
><DT
->25.8. <A
-HREF="#AEN3521"
+>27.8. <A
+HREF="#AEN4076"
>Slow Clients</A
></DT
><DT
->25.9. <A
-HREF="#AEN3525"
+>27.9. <A
+HREF="#AEN4080"
>Slow Logins</A
></DT
><DT
->25.10. <A
-HREF="#AEN3528"
+>27.10. <A
+HREF="#AEN4083"
>Client tuning</A
></DT
></DL
></DD
><DT
->26. <A
+>28. <A
HREF="#PORTABILITY"
>Portability</A
></DT
><DD
><DL
><DT
->26.1. <A
-HREF="#AEN3568"
+>28.1. <A
+HREF="#AEN4127"
>HPUX</A
></DT
><DT
->26.2. <A
-HREF="#AEN3574"
+>28.2. <A
+HREF="#AEN4133"
>SCO Unix</A
></DT
><DT
->26.3. <A
-HREF="#AEN3578"
+>28.3. <A
+HREF="#AEN4137"
>DNIX</A
></DT
><DT
->26.4. <A
-HREF="#AEN3607"
+>28.4. <A
+HREF="#AEN4166"
>RedHat Linux Rembrandt-II</A
></DT
><DT
->26.5. <A
-HREF="#AEN3613"
+>28.5. <A
+HREF="#AEN4172"
>AIX</A
></DT
><DD
><DL
><DT
->26.5.1. <A
-HREF="#AEN3615"
+>28.5.1. <A
+HREF="#AEN4174"
>Sequential Read Ahead</A
></DT
></DL
@@ -17059,156 +19396,161 @@ HREF="#AEN3615"
></DL
></DD
><DT
->27. <A
+>29. <A
HREF="#OTHER-CLIENTS"
>Samba and other CIFS clients</A
></DT
><DD
><DL
><DT
->27.1. <A
-HREF="#AEN3633"
+>29.1. <A
+HREF="#AEN4196"
>Macintosh clients?</A
></DT
><DT
->27.2. <A
-HREF="#AEN3642"
+>29.2. <A
+HREF="#AEN4205"
>OS2 Client</A
></DT
><DD
><DL
><DT
->27.2.1. <A
-HREF="#AEN3644"
+>29.2.1. <A
+HREF="#AEN4207"
>How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</A
></DT
><DT
->27.2.2. <A
-HREF="#AEN3659"
+>29.2.2. <A
+HREF="#AEN4222"
>How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</A
></DT
><DT
->27.2.3. <A
-HREF="#AEN3668"
+>29.2.3. <A
+HREF="#AEN4231"
>Are there any other issues when OS/2 (any version)
is used as a client?</A
></DT
><DT
->27.2.4. <A
-HREF="#AEN3672"
+>29.2.4. <A
+HREF="#AEN4235"
>How do I get printer driver download working
for OS/2 clients?</A
></DT
></DL
></DD
><DT
->27.3. <A
-HREF="#AEN3682"
+>29.3. <A
+HREF="#AEN4245"
>Windows for Workgroups</A
></DT
><DD
><DL
><DT
->27.3.1. <A
-HREF="#AEN3684"
+>29.3.1. <A
+HREF="#AEN4247"
>Use latest TCP/IP stack from Microsoft</A
></DT
><DT
->27.3.2. <A
-HREF="#AEN3689"
+>29.3.2. <A
+HREF="#AEN4252"
>Delete .pwl files after password change</A
></DT
><DT
->27.3.3. <A
-HREF="#AEN3694"
+>29.3.3. <A
+HREF="#AEN4257"
>Configure WfW password handling</A
></DT
><DT
->27.3.4. <A
-HREF="#AEN3698"
+>29.3.4. <A
+HREF="#AEN4261"
>Case handling of passwords</A
></DT
><DT
->27.3.5. <A
-HREF="#AEN3703"
+>29.3.5. <A
+HREF="#AEN4266"
>Use TCP/IP as default protocol</A
></DT
></DL
></DD
><DT
->27.4. <A
-HREF="#AEN3706"
+>29.4. <A
+HREF="#AEN4269"
>Windows '95/'98</A
></DT
><DT
->27.5. <A
-HREF="#AEN3722"
+>29.5. <A
+HREF="#AEN4285"
>Windows 2000 Service Pack 2</A
></DT
+><DT
+>29.6. <A
+HREF="#AEN4302"
+>Windows NT 3.1</A
+></DT
></DL
></DD
><DT
->28. <A
+>30. <A
HREF="#COMPILING"
>How to compile SAMBA</A
></DT
><DD
><DL
><DT
->28.1. <A
-HREF="#AEN3749"
+>30.1. <A
+HREF="#AEN4323"
>Access Samba source code via CVS</A
></DT
><DD
><DL
><DT
->28.1.1. <A
-HREF="#AEN3751"
+>30.1.1. <A
+HREF="#AEN4325"
>Introduction</A
></DT
><DT
->28.1.2. <A
-HREF="#AEN3756"
+>30.1.2. <A
+HREF="#AEN4330"
>CVS Access to samba.org</A
></DT
></DL
></DD
><DT
->28.2. <A
-HREF="#AEN3792"
+>30.2. <A
+HREF="#AEN4366"
>Accessing the samba sources via rsync and ftp</A
></DT
><DT
->28.3. <A
-HREF="#AEN3798"
+>30.3. <A
+HREF="#AEN4372"
>Building the Binaries</A
></DT
><DD
><DL
><DT
->28.3.1. <A
-HREF="#AEN3826"
+>30.3.1. <A
+HREF="#AEN4400"
>Compiling samba with Active Directory support</A
></DT
></DL
></DD
><DT
->28.4. <A
-HREF="#AEN3855"
+>30.4. <A
+HREF="#AEN4429"
>Starting the smbd and nmbd</A
></DT
><DD
><DL
><DT
->28.4.1. <A
-HREF="#AEN3865"
+>30.4.1. <A
+HREF="#AEN4439"
>Starting from inetd.conf</A
></DT
><DT
->28.4.2. <A
-HREF="#AEN3894"
+>30.4.2. <A
+HREF="#AEN4469"
>Alternative: starting it as a daemon</A
></DT
></DL
@@ -17216,128 +19558,69 @@ HREF="#AEN3894"
></DL
></DD
><DT
->29. <A
+>31. <A
HREF="#BUGREPORT"
>Reporting Bugs</A
></DT
><DD
><DL
><DT
->29.1. <A
-HREF="#AEN3917"
+>31.1. <A
+HREF="#AEN4500"
>Introduction</A
></DT
><DT
->29.2. <A
-HREF="#AEN3927"
+>31.2. <A
+HREF="#AEN4510"
>General info</A
></DT
><DT
->29.3. <A
-HREF="#AEN3933"
+>31.3. <A
+HREF="#AEN4516"
>Debug levels</A
></DT
><DT
->29.4. <A
-HREF="#AEN3950"
+>31.4. <A
+HREF="#AEN4536"
>Internal errors</A
></DT
><DT
->29.5. <A
-HREF="#AEN3960"
+>31.5. <A
+HREF="#AEN4550"
>Attaching to a running process</A
></DT
><DT
->29.6. <A
-HREF="#AEN3963"
+>31.6. <A
+HREF="#AEN4558"
>Patches</A
></DT
></DL
></DD
><DT
->30. <A
+>32. <A
HREF="#DIAGNOSIS"
>The samba checklist</A
></DT
><DD
><DL
><DT
->30.1. <A
-HREF="#AEN3986"
+>32.1. <A
+HREF="#AEN4581"
>Introduction</A
></DT
><DT
->30.2. <A
-HREF="#AEN3991"
+>32.2. <A
+HREF="#AEN4586"
>Assumptions</A
></DT
><DT
->30.3. <A
-HREF="#AEN4001"
->Tests</A
-></DT
-><DD
-><DL
-><DT
->30.3.1. <A
-HREF="#AEN4003"
->Test 1</A
-></DT
-><DT
->30.3.2. <A
-HREF="#AEN4009"
->Test 2</A
-></DT
-><DT
->30.3.3. <A
-HREF="#AEN4015"
->Test 3</A
-></DT
-><DT
->30.3.4. <A
-HREF="#AEN4030"
->Test 4</A
-></DT
-><DT
->30.3.5. <A
-HREF="#AEN4035"
->Test 5</A
-></DT
-><DT
->30.3.6. <A
-HREF="#AEN4041"
->Test 6</A
-></DT
-><DT
->30.3.7. <A
-HREF="#AEN4049"
->Test 7</A
-></DT
-><DT
->30.3.8. <A
-HREF="#AEN4075"
->Test 8</A
-></DT
-><DT
->30.3.9. <A
-HREF="#AEN4092"
->Test 9</A
-></DT
-><DT
->30.3.10. <A
-HREF="#AEN4100"
->Test 10</A
-></DT
-><DT
->30.3.11. <A
-HREF="#AEN4106"
->Test 11</A
+>32.3. <A
+HREF="#AEN4596"
+>The tests</A
></DT
-></DL
-></DD
><DT
->30.4. <A
-HREF="#AEN4111"
+>32.4. <A
+HREF="#AEN4697"
>Still having troubles?</A
></DT
></DL
@@ -17349,16 +19632,169 @@ HREF="#AEN4111"
CLASS="CHAPTER"
><HR><H1
><A
+NAME="SWAT"
+></A
+>Chapter 25. SWAT - The Samba Web Admininistration Tool</H1
+><P
+>This is a rough guide to SWAT.</P
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN3976"
+>25.1. SWAT Features and Benefits</A
+></H2
+><P
+>You must use at least the following ...</P
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3979"
+>25.1.1. The SWAT Home Page</A
+></H3
+><P
+>Blah blah here.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3982"
+>25.1.2. Global Settings</A
+></H3
+><P
+>Document steps right here!</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3985"
+>25.1.3. The SWAT Wizard</A
+></H3
+><P
+>Lots of blah blah here.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3988"
+>25.1.4. Share Settings</A
+></H3
+><P
+>Document steps right here!</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3991"
+>25.1.5. Printing Settings</A
+></H3
+><P
+>Document steps right here!</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3994"
+>25.1.6. The Status Page</A
+></H3
+><P
+>Document steps right here!</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN3997"
+>25.1.7. The Password Change Page</A
+></H3
+><P
+>Document steps right here!</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
+NAME="NT4MIGRATION"
+></A
+>Chapter 26. Migration from NT4 PDC to Samba-3 PDC</H1
+><P
+>This is a rough guide to assist those wishing to migrate from NT4 domain control to
+Samba-3 based domain control.</P
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN4012"
+>26.1. Planning and Getting Started</A
+></H2
+><P
+>You must use at least the following ...</P
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN4015"
+>26.1.1. Objectives</A
+></H3
+><P
+>Blah blah objectives here.</P
+></DIV
+><DIV
+CLASS="SECT2"
+><HR><H3
+CLASS="SECT2"
+><A
+NAME="AEN4018"
+>26.1.2. Steps In Migration Process</A
+></H3
+><P
+>Document steps right here!</P
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN4021"
+>26.2. Managing Samba-3 Domain Control</A
+></H2
+><P
+>Lots of blah blah here.</P
+></DIV
+></DIV
+><DIV
+CLASS="CHAPTER"
+><HR><H1
+><A
NAME="SPEED"
></A
->Chapter 25. Samba performance issues</H1
+>Chapter 27. Samba performance issues</H1
><DIV
CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN3486"
->25.1. Comparisons</A
+NAME="AEN4041"
+>27.1. Comparisons</A
></H2
><P
>The Samba server uses TCP to talk to the client. Thus if you are
@@ -17388,8 +19824,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3492"
->25.2. Socket options</A
+NAME="AEN4047"
+>27.2. Socket options</A
></H2
><P
>There are a number of socket options that can greatly affect the
@@ -17416,8 +19852,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3499"
->25.3. Read size</A
+NAME="AEN4054"
+>27.3. Read size</A
></H2
><P
>The option "read size" affects the overlap of disk reads/writes with
@@ -17442,8 +19878,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3504"
->25.4. Max xmit</A
+NAME="AEN4059"
+>27.4. Max xmit</A
></H2
><P
>At startup the client and server negotiate a "maximum transmit" size,
@@ -17465,8 +19901,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3509"
->25.5. Log level</A
+NAME="AEN4064"
+>27.5. Log level</A
></H2
><P
>If you set the log level (also known as "debug level") higher than 2
@@ -17479,8 +19915,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3512"
->25.6. Read raw</A
+NAME="AEN4067"
+>27.6. Read raw</A
></H2
><P
>The "read raw" operation is designed to be an optimised, low-latency
@@ -17501,8 +19937,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3517"
->25.7. Write raw</A
+NAME="AEN4072"
+>27.7. Write raw</A
></H2
><P
>The "write raw" operation is designed to be an optimised, low-latency
@@ -17518,8 +19954,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3521"
->25.8. Slow Clients</A
+NAME="AEN4076"
+>27.8. Slow Clients</A
></H2
><P
>One person has reported that setting the protocol to COREPLUS rather
@@ -17535,8 +19971,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3525"
->25.9. Slow Logins</A
+NAME="AEN4080"
+>27.9. Slow Logins</A
></H2
><P
>Slow logins are almost always due to the password checking time. Using
@@ -17548,8 +19984,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3528"
->25.10. Client tuning</A
+NAME="AEN4083"
+>27.10. Client tuning</A
></H2
><P
>Often a speed problem can be traced to the client. The client (for
@@ -17656,7 +20092,7 @@ CLASS="CHAPTER"
><A
NAME="PORTABILITY"
></A
->Chapter 26. Portability</H1
+>Chapter 28. Portability</H1
><P
>Samba works on a wide range of platforms but the interface all the
platforms provide is not always compatible. This chapter contains
@@ -17666,8 +20102,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3568"
->26.1. HPUX</A
+NAME="AEN4127"
+>28.1. HPUX</A
></H2
><P
>HP's implementation of supplementary groups is, er, non-standard (for
@@ -17696,8 +20132,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3574"
->26.2. SCO Unix</A
+NAME="AEN4133"
+>28.2. SCO Unix</A
></H2
><P
>
@@ -17713,8 +20149,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3578"
->26.3. DNIX</A
+NAME="AEN4137"
+>28.3. DNIX</A
></H2
><P
>DNIX has a problem with seteuid() and setegid(). These routines are
@@ -17820,8 +20256,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3607"
->26.4. RedHat Linux Rembrandt-II</A
+NAME="AEN4166"
+>28.4. RedHat Linux Rembrandt-II</A
></H2
><P
>By default RedHat Rembrandt-II during installation adds an
@@ -17844,16 +20280,16 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3613"
->26.5. AIX</A
+NAME="AEN4172"
+>28.5. AIX</A
></H2
><DIV
CLASS="SECT2"
><H3
CLASS="SECT2"
><A
-NAME="AEN3615"
->26.5.1. Sequential Read Ahead</A
+NAME="AEN4174"
+>28.5.1. Sequential Read Ahead</A
></H3
><P
>Disabling Sequential Read Ahead using "vmtune -r 0" improves
@@ -17867,7 +20303,7 @@ CLASS="CHAPTER"
><A
NAME="OTHER-CLIENTS"
></A
->Chapter 27. Samba and other CIFS clients</H1
+>Chapter 29. Samba and other CIFS clients</H1
><P
>This chapter contains client-specific information.</P
><DIV
@@ -17875,8 +20311,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3633"
->27.1. Macintosh clients?</A
+NAME="AEN4196"
+>29.1. Macintosh clients?</A
></H2
><P
>Yes. <A
@@ -17921,16 +20357,16 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3642"
->27.2. OS2 Client</A
+NAME="AEN4205"
+>29.2. OS2 Client</A
></H2
><DIV
CLASS="SECT2"
><H3
CLASS="SECT2"
><A
-NAME="AEN3644"
->27.2.1. How can I configure OS/2 Warp Connect or
+NAME="AEN4207"
+>29.2.1. How can I configure OS/2 Warp Connect or
OS/2 Warp 4 as a client for Samba?</A
></H3
><P
@@ -17988,8 +20424,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN3659"
->27.2.2. How can I configure OS/2 Warp 3 (not Connect),
+NAME="AEN4222"
+>29.2.2. How can I configure OS/2 Warp 3 (not Connect),
OS/2 1.2, 1.3 or 2.x for Samba?</A
></H3
><P
@@ -18032,8 +20468,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN3668"
->27.2.3. Are there any other issues when OS/2 (any version)
+NAME="AEN4231"
+>29.2.3. Are there any other issues when OS/2 (any version)
is used as a client?</A
></H3
><P
@@ -18054,8 +20490,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN3672"
->27.2.4. How do I get printer driver download working
+NAME="AEN4235"
+>29.2.4. How do I get printer driver download working
for OS/2 clients?</A
></H3
><P
@@ -18101,16 +20537,16 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3682"
->27.3. Windows for Workgroups</A
+NAME="AEN4245"
+>29.3. Windows for Workgroups</A
></H2
><DIV
CLASS="SECT2"
><H3
CLASS="SECT2"
><A
-NAME="AEN3684"
->27.3.1. Use latest TCP/IP stack from Microsoft</A
+NAME="AEN4247"
+>29.3.1. Use latest TCP/IP stack from Microsoft</A
></H3
><P
>Use the latest TCP/IP stack from microsoft if you use Windows
@@ -18131,8 +20567,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN3689"
->27.3.2. Delete .pwl files after password change</A
+NAME="AEN4252"
+>29.3.2. Delete .pwl files after password change</A
></H3
><P
>WfWg does a lousy job with passwords. I find that if I change my
@@ -18151,8 +20587,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN3694"
->27.3.3. Configure WfW password handling</A
+NAME="AEN4257"
+>29.3.3. Configure WfW password handling</A
></H3
><P
>There is a program call admincfg.exe
@@ -18170,8 +20606,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN3698"
->27.3.4. Case handling of passwords</A
+NAME="AEN4261"
+>29.3.4. Case handling of passwords</A
></H3
><P
>Windows for Workgroups uppercases the password before sending it to the server. Unix passwords can be case-sensitive though. Check the <A
@@ -18188,8 +20624,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN3703"
->27.3.5. Use TCP/IP as default protocol</A
+NAME="AEN4266"
+>29.3.5. Use TCP/IP as default protocol</A
></H3
><P
>To support print queue reporting you may find
@@ -18204,8 +20640,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3706"
->27.4. Windows '95/'98</A
+NAME="AEN4269"
+>29.4. Windows '95/'98</A
></H2
><P
>When using Windows 95 OEM SR2 the following updates are recommended where Samba
@@ -18252,8 +20688,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3722"
->27.5. Windows 2000 Service Pack 2</A
+NAME="AEN4285"
+>29.5. Windows 2000 Service Pack 2</A
></H2
><P
>
@@ -18319,15 +20755,49 @@ for the profile. This default ACL includes </P
CLASS="COMMAND"
>DOMAIN\user "Full Control"</B
></P
+><DIV
+CLASS="NOTE"
><P
-><SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->NOTE : This bug does not occur when using winbind to
-create accounts on the Samba host for Domain users.</I
-></SPAN
></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
+><P
+>This bug does not occur when using winbind to
+create accounts on the Samba host for Domain users.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+><DIV
+CLASS="SECT1"
+><HR><H2
+CLASS="SECT1"
+><A
+NAME="AEN4302"
+>29.6. Windows NT 3.1</A
+></H2
+><P
+>If you have problems communicating across routers with Windows
+NT 3.1 workstations, read <A
+HREF="http://support.microsoft.com/default.aspx?scid=kb;[LN];Q103765"
+TARGET="_top"
+>this Microsoft Knowledge Base article</A
+>. </P
></DIV
></DIV
><DIV
@@ -18336,7 +20806,7 @@ CLASS="CHAPTER"
><A
NAME="COMPILING"
></A
->Chapter 28. How to compile SAMBA</H1
+>Chapter 30. How to compile SAMBA</H1
><P
>You can obtain the samba source from the <A
HREF="http://samba.org/"
@@ -18349,16 +20819,16 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3749"
->28.1. Access Samba source code via CVS</A
+NAME="AEN4323"
+>30.1. Access Samba source code via CVS</A
></H2
><DIV
CLASS="SECT2"
><H3
CLASS="SECT2"
><A
-NAME="AEN3751"
->28.1.1. Introduction</A
+NAME="AEN4325"
+>30.1.1. Introduction</A
></H3
><P
>Samba is developed in an open environment. Developers use CVS
@@ -18379,8 +20849,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN3756"
->28.1.2. CVS Access to samba.org</A
+NAME="AEN4330"
+>30.1.2. CVS Access to samba.org</A
></H3
><P
>The machine samba.org runs a publicly accessible CVS
@@ -18392,8 +20862,8 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN3759"
->28.1.2.1. Access via CVSweb</A
+NAME="AEN4333"
+>30.1.2.1. Access via CVSweb</A
></H4
><P
>You can access the source code via your
@@ -18413,8 +20883,8 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN3764"
->28.1.2.2. Access via cvs</A
+NAME="AEN4338"
+>30.1.2.2. Access via cvs</A
></H4
><P
>You can also access the source code via a
@@ -18454,9 +20924,9 @@ TYPE="1"
> Run the command
</P
><P
-> <B
-CLASS="COMMAND"
->cvs -d :pserver:cvs@samba.org:/cvsroot login</B
+> <KBD
+CLASS="USERINPUT"
+>cvs -d :pserver:cvs@samba.org:/cvsroot login</KBD
>
</P
><P
@@ -18471,9 +20941,9 @@ CLASS="USERINPUT"
> Run the command
</P
><P
-> <B
-CLASS="COMMAND"
->cvs -d :pserver:cvs@samba.org:/cvsroot co samba</B
+> <KBD
+CLASS="USERINPUT"
+>cvs -d :pserver:cvs@samba.org:/cvsroot co samba</KBD
>
</P
><P
@@ -18488,12 +20958,12 @@ CLASS="PARAMETER"
>
and defining a tag name. A list of branch tag names can be found on the
"Development" page of the samba web site. A common request is to obtain the
- latest 2.2 release code. This could be done by using the following command.
+ latest 2.2 release code. This could be done by using the following userinput.
</P
><P
-> <B
-CLASS="COMMAND"
->cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</B
+> <KBD
+CLASS="USERINPUT"
+>cvs -d :pserver:cvs@samba.org:/cvsroot co -r SAMBA_2_2 samba</KBD
>
</P
></LI
@@ -18503,9 +20973,9 @@ CLASS="COMMAND"
the following command from within the samba directory:
</P
><P
-> <B
-CLASS="COMMAND"
->cvs update -d -P</B
+> <KBD
+CLASS="USERINPUT"
+>cvs update -d -P</KBD
>
</P
></LI
@@ -18518,8 +20988,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3792"
->28.2. Accessing the samba sources via rsync and ftp</A
+NAME="AEN4366"
+>30.2. Accessing the samba sources via rsync and ftp</A
></H2
><P
> pserver.samba.org also exports unpacked copies of most parts of the CVS tree at <A
@@ -18546,14 +21016,14 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3798"
->28.3. Building the Binaries</A
+NAME="AEN4372"
+>30.3. Building the Binaries</A
></H2
><P
->To do this, first run the program <B
-CLASS="COMMAND"
+>To do this, first run the program <KBD
+CLASS="USERINPUT"
>./configure
- </B
+ </KBD
> in the source directory. This should automatically
configure Samba for your operating system. If you have unusual
needs then you may wish to run</P
@@ -18632,8 +21102,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN3826"
->28.3.1. Compiling samba with Active Directory support</A
+NAME="AEN4400"
+>30.3.1. Compiling samba with Active Directory support</A
></H3
><P
>In order to compile samba with ADS support, you need to have installed
@@ -18682,8 +21152,8 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN3838"
->28.3.1.1. Installing the required packages for Debian</A
+NAME="AEN4412"
+>30.3.1.1. Installing the required packages for Debian</A
></H4
><P
>On Debian you need to install the following packages:</P
@@ -18713,8 +21183,8 @@ CLASS="SECT3"
><HR><H4
CLASS="SECT3"
><A
-NAME="AEN3845"
->28.3.1.2. Installing the required packages for RedHat</A
+NAME="AEN4419"
+>30.3.1.2. Installing the required packages for RedHat</A
></H4
><P
>On RedHat this means you should have at least: </P
@@ -18755,22 +21225,22 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3855"
->28.4. Starting the smbd and nmbd</A
+NAME="AEN4429"
+>30.4. Starting the smbd and nmbd</A
></H2
><P
>You must choose to start smbd and nmbd either
- as daemons or from <B
-CLASS="COMMAND"
->inetd</B
->. Don't try
+ as daemons or from <SPAN
+CLASS="APPLICATION"
+>inetd</SPAN
+>Don't try
to do both! Either you can put them in <TT
CLASS="FILENAME"
> inetd.conf</TT
> and have them started on demand
- by <B
-CLASS="COMMAND"
->inetd</B
+ by <SPAN
+CLASS="APPLICATION"
+>inetd</SPAN
>, or you can start them as
daemons either from the command line or in <TT
CLASS="FILENAME"
@@ -18780,13 +21250,13 @@ CLASS="FILENAME"
the bit about what user you need to be in order to start
Samba. In many cases you must be root.</P
><P
->The main advantage of starting <B
-CLASS="COMMAND"
->smbd</B
+>The main advantage of starting <SPAN
+CLASS="APPLICATION"
+>smbd</SPAN
>
- and <B
-CLASS="COMMAND"
->nmbd</B
+ and <SPAN
+CLASS="APPLICATION"
+>nmbd</SPAN
> using the recommended daemon method
is that they will respond slightly more quickly to an initial connection
request.</P
@@ -18795,8 +21265,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN3865"
->28.4.1. Starting from inetd.conf</A
+NAME="AEN4439"
+>30.4.1. Starting from inetd.conf</A
></H3
><P
>NOTE; The following will be different if
@@ -18857,19 +21327,39 @@ CLASS="FILENAME"
><P
>NOTE: On many systems you may need to use the
"interfaces" option in smb.conf to specify the IP address
- and netmask of your interfaces. Run <B
-CLASS="COMMAND"
->ifconfig</B
+ and netmask of your interfaces. Run <SPAN
+CLASS="APPLICATION"
+>ifconfig</SPAN
>
as root if you don't know what the broadcast is for your
- net. <B
-CLASS="COMMAND"
->nmbd</B
+ net. <SPAN
+CLASS="APPLICATION"
+>nmbd</SPAN
> tries to determine it at run
- time, but fails on some unixes. See the section on "testing nmbd"
- for a method of finding if you need to do this.</P
+ time, but fails on some unixes.
+ </P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif"
+HSPACE="5"
+ALT="Warning"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
->!!!WARNING!!! Many unixes only accept around 5
+>Many unixes only accept around 5
parameters on the command line in <TT
CLASS="FILENAME"
>inetd.conf</TT
@@ -18880,14 +21370,18 @@ CLASS="FILENAME"
CLASS="COMMAND"
>inetd</B
>.</P
+></TD
+></TR
+></TABLE
+></DIV
><P
>Restart <B
CLASS="COMMAND"
>inetd</B
>, perhaps just send
- it a HUP. If you have installed an earlier version of <B
-CLASS="COMMAND"
-> nmbd</B
+ it a HUP. If you have installed an earlier version of <SPAN
+CLASS="APPLICATION"
+> nmbd</SPAN
> then you may need to kill nmbd as well.</P
></DIV
><DIV
@@ -18895,8 +21389,8 @@ CLASS="SECT2"
><HR><H3
CLASS="SECT2"
><A
-NAME="AEN3894"
->28.4.2. Alternative: starting it as a daemon</A
+NAME="AEN4469"
+>30.4.2. Alternative: starting it as a daemon</A
></H3
><P
>To start the server as a daemon you should create
@@ -18938,13 +21432,37 @@ CLASS="COMMAND"
CLASS="COMMAND"
>smbd</B
>.</P
+><DIV
+CLASS="NOTE"
+><P
+></P
+><TABLE
+CLASS="NOTE"
+WIDTH="100%"
+BORDER="0"
+><TR
+><TD
+WIDTH="25"
+ALIGN="CENTER"
+VALIGN="TOP"
+><IMG
+SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
+HSPACE="5"
+ALT="Note"></TD
+><TD
+ALIGN="LEFT"
+VALIGN="TOP"
><P
->NOTE: If you use the SVR4 style init system then
+>If you use the SVR4 style init system then
you may like to look at the <TT
CLASS="FILENAME"
>examples/svr4-startup</TT
>
script to make Samba fit into that system.</P
+></TD
+></TR
+></TABLE
+></DIV
></DIV
></DIV
></DIV
@@ -18954,18 +21472,18 @@ CLASS="CHAPTER"
><A
NAME="BUGREPORT"
></A
->Chapter 29. Reporting Bugs</H1
+>Chapter 31. Reporting Bugs</H1
><DIV
CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN3917"
->29.1. Introduction</A
+NAME="AEN4500"
+>31.1. Introduction</A
></H2
><P
>The email address for bug reports for stable releases is <A
-HREF="samba@samba.org"
+HREF="mailto:samba@samba.org"
TARGET="_top"
>samba@samba.org</A
>.
@@ -19005,8 +21523,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3927"
->29.2. General info</A
+NAME="AEN4510"
+>31.2. General info</A
></H2
><P
>Before submitting a bug report check your config for silly
@@ -19015,8 +21533,7 @@ you've misconfigured something and run testparm to test your config
file for correct syntax.</P
><P
>Have you run through the <A
-HREF="Diagnosis.html"
-TARGET="_top"
+HREF="#DIAGNOSIS"
>diagnosis</A
>?
This is very important.</P
@@ -19030,8 +21547,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3933"
->29.3. Debug levels</A
+NAME="AEN4516"
+>31.3. Debug levels</A
></H2
><P
>If the bug has anything to do with Samba behaving incorrectly as a
@@ -19061,9 +21578,15 @@ include = /usr/local/samba/lib/smb.conf.%m</PRE
>then create a file
<TT
CLASS="FILENAME"
->/usr/local/samba/lib/smb.conf.machine</TT
+>/usr/local/samba/lib/smb.conf.<VAR
+CLASS="REPLACEABLE"
+>machine</VAR
+></TT
> where
-"machine" is the name of the client you wish to debug. In that file
+<VAR
+CLASS="REPLACEABLE"
+>machine</VAR
+> is the name of the client you wish to debug. In that file
put any smb.conf commands you want, for example
<B
CLASS="COMMAND"
@@ -19084,7 +21607,10 @@ CLASS="COMMAND"
>debuglevel =</B
> that has been
used in older versions of Samba and is being retained for backwards
-compatibility of smb.conf files.</P
+compatibility of <TT
+CLASS="FILENAME"
+>smb.conf</TT
+> files.</P
><P
>As the <B
CLASS="COMMAND"
@@ -19100,14 +21626,14 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3950"
->29.4. Internal errors</A
+NAME="AEN4536"
+>31.4. Internal errors</A
></H2
><P
>If you get a "INTERNAL ERROR" message in your log files it means that
Samba got an unexpected signal while running. It is probably a
segmentation fault and almost certainly means a bug in Samba (unless
-you have faulty hardware or system software)</P
+you have faulty hardware or system software).</P
><P
>If the message came from smbd then it will probably be accompanied by
a message which details the last SMB message received by smbd. This
@@ -19117,7 +21643,10 @@ include it in your bug report.</P
>You should also detail how to reproduce the problem, if
possible. Please make this reasonably detailed.</P
><P
->You may also find that a core file appeared in a "corefiles"
+>You may also find that a core file appeared in a <TT
+CLASS="FILENAME"
+>corefiles</TT
+>
subdirectory of the directory where you keep your samba log
files. This file is the most useful tool for tracking down the bug. To
use it you do this:</P
@@ -19128,11 +21657,20 @@ CLASS="COMMAND"
></P
><P
>adding appropriate paths to smbd and core so gdb can find them. If you
-don't have gdb then try "dbx". Then within the debugger use the
-command "where" to give a stack trace of where the problem
+don't have gdb then try <KBD
+CLASS="USERINPUT"
+>dbx</KBD
+>. Then within the debugger use the
+command <KBD
+CLASS="USERINPUT"
+>where</KBD
+> to give a stack trace of where the problem
occurred. Include this in your mail.</P
><P
->If you known any assembly language then do a "disass" of the routine
+>If you known any assembly language then do a <KBD
+CLASS="USERINPUT"
+>disass</KBD
+> of the routine
where the problem occurred (if its in a library routine then
disassemble the routine that called it) and try to work out exactly
where the problem is by looking at the surrounding code. Even if you
@@ -19144,15 +21682,30 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3960"
->29.5. Attaching to a running process</A
+NAME="AEN4550"
+>31.5. Attaching to a running process</A
></H2
><P
>Unfortunately some unixes (in particular some recent linux kernels)
refuse to dump a core file if the task has changed uid (which smbd
does often). To debug with this sort of system you could try to attach
-to the running process using "gdb smbd PID" where you get PID from
-smbstatus. Then use "c" to continue and try to cause the core dump
+to the running process using <KBD
+CLASS="USERINPUT"
+>gdb smbd <VAR
+CLASS="REPLACEABLE"
+>PID</VAR
+></KBD
+> where you get <VAR
+CLASS="REPLACEABLE"
+>PID</VAR
+> from
+<SPAN
+CLASS="APPLICATION"
+>smbstatus</SPAN
+>. Then use <KBD
+CLASS="USERINPUT"
+>c</KBD
+> to continue and try to cause the core dump
using the client. The debugger should catch the fault and tell you
where it occurred.</P
></DIV
@@ -19161,18 +21714,18 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3963"
->29.6. Patches</A
+NAME="AEN4558"
+>31.6. Patches</A
></H2
><P
>The best sort of bug report is one that includes a fix! If you send us
-patches please use <B
-CLASS="COMMAND"
->diff -u</B
+patches please use <KBD
+CLASS="USERINPUT"
+>diff -u</KBD
> format if your version of
-diff supports it, otherwise use <B
-CLASS="COMMAND"
->diff -c4</B
+diff supports it, otherwise use <KBD
+CLASS="USERINPUT"
+>diff -c4</KBD
>. Make sure
your do the diff against a clean version of the source and let me know
exactly what version you used. </P
@@ -19184,14 +21737,14 @@ CLASS="CHAPTER"
><A
NAME="DIAGNOSIS"
></A
->Chapter 30. The samba checklist</H1
+>Chapter 32. The samba checklist</H1
><DIV
CLASS="SECT1"
><H2
CLASS="SECT1"
><A
-NAME="AEN3986"
->30.1. Introduction</A
+NAME="AEN4581"
+>32.1. Introduction</A
></H2
><P
>This file contains a list of tests you can perform to validate your
@@ -19212,8 +21765,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN3991"
->30.2. Assumptions</A
+NAME="AEN4586"
+>32.2. Assumptions</A
></H2
><P
>In all of the tests it is assumed you have a Samba server called
@@ -19250,17 +21803,18 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN4001"
->30.3. Tests</A
+NAME="AEN4596"
+>32.3. The tests</A
></H2
><DIV
-CLASS="SECT2"
-><H3
-CLASS="SECT2"
-><A
-NAME="AEN4003"
->30.3.1. Test 1</A
-></H3
+CLASS="PROCEDURE"
+><P
+><B
+>Diagnosing your samba server</B
+></P
+><OL
+TYPE="1"
+><LI
><P
>In the directory in which you store your smb.conf file, run the command
"testparm smb.conf". If it reports any errors then your smb.conf
@@ -19274,15 +21828,8 @@ CLASS="FILENAME"
CLASS="FILENAME"
>/usr/local/samba/lib</TT
></P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN4009"
->30.3.2. Test 2</A
-></H3
+></LI
+><LI
><P
>Run the command "ping BIGSERVER" from the PC and "ping ACLIENT" from
the unix box. If you don't get a valid response then your TCP/IP
@@ -19300,15 +21847,8 @@ you do have correct entries for the remainder of these tests. </P
software. You will need to relax the rules to let in the workstation
in question, perhaps by allowing access from another subnet (on Linux
this is done via the ipfwadm program.)</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN4015"
->30.3.3. Test 3</A
-></H3
+></LI
+><LI
><P
>Run the command "smbclient -L BIGSERVER" on the unix box. You
should get a list of available shares back. </P
@@ -19371,15 +21911,8 @@ to start smbd as a daemon, it can avoid a lot of frustration!</P
and / or broadcast address settings are incorrect. Please check that the
network interface IP Address / Broadcast Address / Subnet Mask settings are
correct and that Samba has correctly noted these in the log.nmb file.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN4030"
->30.3.4. Test 4</A
-></H3
+></LI
+><LI
><P
>Run the command "nmblookup -B BIGSERVER __SAMBA__". You should get the
IP address of your Samba server back.</P
@@ -19392,15 +21925,8 @@ to udp port 137.</P
parameters on the command line. If this is the case then create a
one-line script that contains the right parameters and run that from
inetd.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN4035"
->30.3.5. Test 5</A
-></H3
+></LI
+><LI
><P
>run the command <B
CLASS="COMMAND"
@@ -19413,15 +21939,8 @@ got the name of the PC wrong. </P
><P
>If ACLIENT doesn't resolve via DNS then use the IP address of the
client in the above test.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN4041"
->30.3.6. Test 6</A
-></H3
+></LI
+><LI
><P
>Run the command <B
CLASS="COMMAND"
@@ -19447,15 +21966,8 @@ subnet.</P
><P
>This test will probably fail if your subnet mask and broadcast address are
not correct. (Refer to TEST 3 notes above).</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN4049"
->30.3.7. Test 7</A
-></H3
+></LI
+><LI
><P
>Run the command <B
CLASS="COMMAND"
@@ -19536,15 +22048,8 @@ when you type <B
CLASS="COMMAND"
>dir</B
>.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN4075"
->30.3.8. Test 8</A
-></H3
+></LI
+><LI
><P
>On the PC type the command <B
CLASS="COMMAND"
@@ -19596,15 +22101,8 @@ name and password.</P
it probably means that the host is not contactable via tcp services.
Check to see if the host is running tcp wrappers, and if so add an entry in
the hosts.allow file for your client (or subnet, etc.)</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN4092"
->30.3.9. Test 9</A
-></H3
+></LI
+><LI
><P
>Run the command <B
CLASS="COMMAND"
@@ -19630,15 +22128,8 @@ CLASS="FILENAME"
>smb.conf</TT
>.
Turn it back on to fix.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN4100"
->30.3.10. Test 10</A
-></H3
+></LI
+><LI
><P
>Run the command <B
CLASS="COMMAND"
@@ -19656,15 +22147,8 @@ CLASS="COMMAND"
>preferred master = yes</B
> to ensure that
an election is held at startup.</P
-></DIV
-><DIV
-CLASS="SECT2"
-><HR><H3
-CLASS="SECT2"
-><A
-NAME="AEN4106"
->30.3.11. Test 11</A
-></H3
+></LI
+><LI
><P
>From file manager try to browse the server. Your samba server should
appear in the browse list of your local workgroup (or the one you
@@ -19683,6 +22167,8 @@ CLASS="COMMAND"
> in your
smb.conf file, or enable encrypted passwords AFTER compiling in support
for encrypted passwords (refer to the Makefile).</P
+></LI
+></OL
></DIV
></DIV
><DIV
@@ -19690,8 +22176,8 @@ CLASS="SECT1"
><HR><H2
CLASS="SECT1"
><A
-NAME="AEN4111"
->30.4. Still having troubles?</A
+NAME="AEN4697"
+>32.4. Still having troubles?</A
></H2
><P
>Try the mailing list or newsgroup, or use the ethereal utility to
@@ -19706,7 +22192,7 @@ out the samba web page at
<A
HREF="http://samba.org/samba"
TARGET="_top"
->http://samba.org/samba</A
+>http://samba.org/samba/</A
></P
><P
>Also look at the other docs in the Samba package!</P
--
cgit